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PREFACE 


The Orbiter subsystem hardware/ software interaction analysis examines software 
interaction with hardware failure modes. Each failure mode identified in 
subsystem FMEA (failure mode and effects analysis) is examined for interaction 
with software. The analysis, is based upon key questions which identify .potential 
issues. These potential issues are to be resolved by providing rationale for 
retention or identifying and. implementing, changes to eliminate the issue. 


The figure on the following page' illustrates the relationship, of the 
hardware/software interaction analysis to the verification process which' leads to 
the statement of flight readiness. As shown, the analysis is a supporting- item 
which is a portion "of the data base utilized by the FRAT's (flight readiness 
assessment teams) and the associated SEAM (Systems Engineering Assessment 
Meeting) teams in planning and control! ing, the verification process. The overall 
Issue of hardware/software interface compatibility is addressed by the verifica- 
tion process itself. The analysis scope is limited to examination of single 
failure modes, as identified in the FMEA, and the interaction of these failure 
modes with the software as reflected by the software requirements. 


The hardware/software interaction analysis is performed on a preliminary basis by 
the JSC Reliability Division. Results, are then coordinated with JSC engineering 
and Rockwell /Space Systems Group engineering and reliability to obtain inputs and 
approval signatures. The approval sheet for the AFT Reaction. Control System are 
presented below. The Rockwell signatures represent their review, of the open 
issues and risks, if any, performed against the summarization of the analysis. 
Section 5.0 presents- the analysis summary which- groups the failure modes by 
similar retention rationale and is a convenience in identifying groups of failure 
modes in which the analysis is similar. The reviews with Rockwell did not cover 
each checklist. The minutes presented in the appendix document the nature and 
depth of the Rockwell analysis review. 


This analysis verified that no 


open issues remain. 




' Joseph H. Levine 

ffi Chief, Reliability Division 
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l.o- INTRODUCTION . This report documents the results of the analysis of the 
hardware/ software interaction analysis for the AFT Reaction Control System. This 
analysis -examines the interaction between hardware failure modes and - software in 
order to identify associated issues/risks. These issues/risks • are resolved 
through, changes to software requirements' to remove them, or surfaced to 
project/program management with appropriate retention rationale. 

2.0 SCOPE .. All Orbiter subsystems and interfacing program elements which 
interact with the Orbiter computer flight software are analyzed. The analysis 
for each subsystem or interfacing element is presented in a separate volume of 
this report {see section 3.1). 

The analysis examines failure modes identified' in the subsystem/element FMEA 
(failure mode and effects analysis). Potential interaction with software is 
examined through evaluation of the software requi rements , not detailed 
implementation.. The analysis is restricted to flight software requirements only, 
and excludes utility/checkout software. The- BFS (backup flight system) software 
is considered only as necessary, and only as it differs from the primary; the 
basic thrust of the analysis is keyed to the primary system. 

The analysis is based upon the- hardware design and software requirements as they 
existed as of the date of the analysis. Future updates will be published as 
necessary to incorporate changes to either the hardware or software. 

3.0 APPLICABLE DOCUMENTS . 

3.1 HARDWARE/SOFTWARE' INTERACTION ANALYSIS REPORT VOLUMES. The hard- 
ware/software' interaction analysis results are reported on a subsystem basis, 
each in a separate volume. The separate volumes which make up this report are as 
f ol 1 ows : 


Volume 


Subsystem 


I 

II 

III 

IV 

V 

VI 

VII 

VIII 

IX 

X 

XI 

XII 

XIII 

XIV 

XV 

XVI 

XVII 


Purge, Vent, and Drain 

Payload Deployment and Retention 

Payload Bay Doors 

Main Propulsion 

Data Processing Subsystem 

Hydraul ics 

Auxiliary Power Unit 
Reaction Control 
Electrical Power Generation 
Orbital Maneuvering 

Environmental Control and Life Support 
Integrated Avionics 

Electrical Power Distribution & Control 

GNC (Guidance, Navigation & Control) Support 

Displays & Controls 

Communications & Tracking 

Instrumentation 



3.2 REFERENCE DOCUMENTS. The primary documents used in performing the analysis 
included the following: 

a. SD75-SH-17A, "Failure Mode Effects Analysis, AFT Reaction Control 
Subsystem," July 18, 1977. 

b. JSC 11174, "0V-102 Space, Shuttle Systems Handbook," September 22, 

1977. 

c. SD76-SH-0Q26A, "Functional Subsystem. Software Requirements, Sequence 
Requirements," March, 1978. 

d. SD76-SH-0020, "Functional Subsystem Software Requirements, Displays 
and Controls," February 1, 1978. 

e. SD76-SH-0027D, "Functional Subsystem Software Requirements, Systems 
Management," October 16, 1978. 

f. MG038103, "Backup Flight System Management/Special Processes and 
Sequencing Program Requirements Document," December 20, 1978. 

g. SD76-SH-0010E "Functional- Subsystem Software Requirements, Redundancy 
Management," June 1, 1979. 

4.0 DESCRIPTION . 

4.1 GROUND RULES. The hardware software analysis is performed according to the 
following ground rules: 

a. The hardware/software analysis will be limited to investigating the 
software- interaction with the failure inodes of the hardware as delineated in the 
subsystem FMEA's. 

b. Software interaction will be limited to involvement of software of the 
onboard computers. 

c. Only failure modes of hardware with software interfaces (softwa re 
monitoring and/or software control) are analyzed. 

d. The software detection must be considered with respect to each phase 
of the mission [prelaunch (OPS 1 only), ascent, onorbit, and entry]. 

4.2 ANALYSIS CHECKLIST. The basic tool for the analysis is the checklist 
(figure 4-1). A separate checklist is used for each failure mode analyzed. Note 
that the "FMEA Number" in the heading refers to the FMEA document number, not the 
page number on which the failure mode is treated. 

The checklist consists of three sections: Body, change/ retention rationale 

summary, and explanation/conments. Each of these sections is dicussed below. 

4.2.1 CHECKLIST BODY . The checklist body contains the questions which drive the 
analysis. Blocks representing the possible answers for each question are 

provided. Those answers identified by asterisks entail potential issues and 

require explanation. 
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SUBSYSTEM 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 

FMEA NUMBER - 


.. ITEM FAILURE MODE 

V 1 ' ’ ----- - 


1. 

OOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES 

0 NO 

□ 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

*Y£S 

□ MO 

□ 

2. 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT OETECTABILITY? 

YES 

□ *‘10 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

□ MO 

□ 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

*YES 

O 

SC 

□ 

□ 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

*YES 

□ NO 

□ 

5. 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

*YES 

□ MO 

□ 

6. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

~o □ *lQ 2U 

7. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

M/A DyESDnoD 

8. 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

yes 

Q*no 

□ 


B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

□ *NQ 

□ 


^EXPLANATION REQUIRED {SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

1. Q NO H/S ISSUES 3. Q NO SOFTWARE DETECTION 

2. □ HARDWARE ACCEPTS RISK - 4. □ DETECTION DURING CHECKOUT 


□ FMEA CHANGE RECOMMENDED 


EXPLANATIOM/COMMENTS : 


5. □ ACCEPTANCE RATIONALE 8EL0W 

6. P RECOMMENDED CHANGES BELOW 


Fiqure 4-1, Hardware/ Software Analysis Checklist 
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The questions in the checklist body are answered using the following guidelines:. 

a. Question 1. Will the information provided to the onboard software and 
the processing of that information cause annunciation of the failure and/or 
initiation of a corrective action in response to this failure mode? 

b. Question la. Answer question la. if the answer to question 1 is "no." 

Information available to the softv/are could be in the form of (1) sensor data 

used by onboard softv/are but not for automatic fault detection (data used in 

software routines or fault detection available through callup or dedicated 
displays); (2) system and/or subsystem performance parameters.; or (3) 
measurements which are downlisted. Answer "yes" if such information- could be 
used to annunciate the failure condition or initiate responsive action. In 

explanation comments, specifically identify the information available for 
software detection. 

c. Question 2. If all of the following questions are answered "no," 

check the "no" block and explain the difference in the explanation/comments 
section: 

(1) Are the' master measurements listed under "Failure Detectability 

In-flight" on the FMEA (1) used by the onboard software in detecting time 
critical failures (if routed to GPC), or (2) used- by the onboard software in 

annunciating non-time critical failures via callup displays,, or (3) downlisted 
for non-time critical failures? 

(2) Are other measurements, dedicated displays, crew detection, and 
system/subsystem parameters available or able to- detect this failure mode? 

(3 - ) If "failure detectabi-lity in-flight" specifies only software 
action, does the software actually initiate the corrective action as called out 
in the "corrective action" portion of the FMEA? 

d. Question 3. The question considers only the cases wherein the 
software determines a failure. 

e. Question 3a. Answer question 3a if the answer to 3 is "no." If the 
answer to 3a is "yes," call out the possible corrective action in the 
explanation/comments section. 

f. Question 4. The question is considered for both the detected and the 
undetected failure. The overstress or inducement of another failure may be 
acceptable action. Overstress by softv/are is improper commands, sequencing, or 
timing resulting in action exceeding hardv/are design requirements or exposing 
hardware to excessive environments - 

g. Question 5. The question is considered for both the’ detected and the 
undetected failure. Limit adverse effects to effects directly 1 - resulting from 
software commands or subsequent actions resulting from erroneous- inputs as a 
result of the failure. 

h. Question 6. The hardware/ software may change the method of detection 

and/or correction after the first or the second failure; consider this in 
answering the question. Determine if the software will be able to use the 
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redundance of the hardware. If the hardware/software interaction following the 
particular failure mode changes the criticality, in' comparison to the FMEA, check 
the box provided in the summary section of the checklist. 

i. Question 7. If crew action is not required to respond to the failure, 
check the "N/A" block. Cues, which provide inputs to the crew include but are not 
limited to cathode-ray tube annunciation, caution and warning, visual cues,, 
audible cues, callup and dedicated displays, subsystem status data, panel meters, 
etc. 


j. Question 8. A and 8.B. Answer these questions only if either question 
1 or 3- is "yes." 

(1) Question 8. A. Consider that the failure occurs while the 

vehicle is being flown using the primary system. What will happen if the BFS 

must be engaged subsequent to the failure? Wil-1 the fact that the failure has 

occurred prevent the BFS from operating properly, under any conditions? A "no" 
answer is a potential issue {requiring explanation), only if the BFS can normally 
tolerate the failure (when it occurs during BFS operation). 

(2) - Question S.B. Consider' that the failure occurs while the 

vehicle is under BFS control. A "no" answer is an issue (requiring explanation) 
only if the BFS response differs from that for the primary system. 

4.2.2 Change/Retention Rationale Summary. Each failure is assigned to one of 
six possible groups” based upon the answers obtained in the checklist body. 
Boxes are provided to indicate the category assigned. Figure 4-2 presents the 
criteria for group assignment. 

A box is also provided to indicate that changes are required to the FMEA. The 
FMEA evaluation of i n-f light detectability is sometimes inaccurate and requires 
change. In addition, other errors (e.g., incorrect criticality assignment or 
incorrect evaluation of redundancy screens) are occasionally noted during the 
analysis and are documented here. 

A space is provided to detail acceptance rationale-, change recommendations, or 
suggested FMEA changes.- This space may also be used to provide a short general 
comment to expand the retention rationale grouping. 

4.2.3 Expl anati on /Comments . Each question answered by checking a box identified 
with an asterisk is discussed in this section. The circumstances for checking a 
box not identified with an asterisk are discussed, and the rationale for not 
making such a change is presented, if applicable. This section may also be used 
to explain, expand, or- qualify answers- Each discussion is identified with the' 
corresponding question number. 

4.3 ANALYSIS SUMMARY. The analysis results are summarized on the basis of 
retention rationale grouping and recommended changes/retention rationale. Figure 
4-3 depicts .the form utilized for this purpose. A particular retention rationale 
definition, acceptance rationale statement, or recommended change is listed in 
the left column, with the applicable failure modes listed on the right. The 
issue/risk is briefly described with acceptance rationale or software 
requirements change recommendation. The- summary provides a basic overview of the 
total analysis results. 
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CHANGE/RETENTION RATIONALE 


1. NO * CHECKED - NO HARD WARE/ SOFTWARE ISSUES ARE APPARENT FROM THE ANALYSIS. 
SYSTEM IS FAIL OPERATIONAL/FAIL SAFE WITH RESPECT TO THIS FAILURE MODE UNDER 
CURRENT DESIGN. 

2. ONLY * CHECKED ON QUESTION 6 - NO HARDWARE/SOFTWARE ISSUES ARE APPARENT FROM 
THE ANALYSIS. RISK HAS BEEN ACCEPTED VIA HARDWARE CIL. 

3. ONLY * (YES) CHECKED ON QUESTION la - NO SOFTWARE DETECTION IS PROVIDED. 

FAILURE EFFECT IS NOT TIME CRITICAL. FAILURE MAY BE DETECTED BY OTHER MEANS 

OR FUNCTION IS NOT MISSION/SAFETY CRITICAL. 

4. * CHECKED ON QUESTION 3a - * ON la MAY OR MAY NOT BE CHECKED - SOFTWARE DOES 

NOT TAKE CORRECTIVE ACTION FOR FAILURE. FAILURE EFFECT IS NOT TIME 
CRITICAL. CORRECTIVE ACTION MAY BE INITIATED BY CREW. PLANNED CHECKOUT 
ACTIVITIES WILL DETECT FAILURE. SYSTEM IS FAIL OPERATIONAL/FAIL SAFE 

WITHOUT SOFTWARE DETECTION AND CORRECTION. 

5-. STANDARD RETENTION RATIONALE DOES NOT APPLY. SPECIFIC RETENTION RATIONALE 
IS SUMMARIZED FOR THIS FAILURE. 

6. ISSUES IDENTIFIED AND CHANGES ARE DESIRABLE. SPECIFIC CHANGES ARE 

SUMMARIZED. 

NOTE: DO NOT CONSIDER ANSWER TO QUESTION 2 IN DETERMINATION OF 

CHANGE/RETENTION RATIONALE SUMMARY CODE. CONSIDER RESPONSES TO BOTH 
QUESTION 2 AND 6 IN DETERMINING -WHETHER AN FMEA CHANGE IS REQUIRED. 

6.0 ANALYSIS CHECKLIST SHEETS 


Following are the analysis checklist sheets for each failure mode evaluated. 


Figure 4-2. Change/Retention Rationale 
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Figure 4-3, Hardware/Software Analysis Summary 





The subsystem failure modes not analyzed are also identified. These failure 
modes were evaluated as having hardware/software interfaces. Figure 4-4 depicts 
the form utilized for this purpose- 

5.0 ANALYSIS SUMMARY SHEETS . The analysis results are summarized on-, the 

following sheets. The failure modes have been grouped by issue/ retention 
rationale (or change), affording an overview of the results for the entire 
subsystem. 
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FAILURE MODES NOT INCLUDED IN HARDWARE/ SOFTWARE ANALYSIS 
EVALUATED AS INVOLVING NO HARDWARE/SOFTWARE INTERFACE 


SUBSYSTEM 


FMEA 


ITEM 


FAILURE MODE 


Failure modes analyzed included only those items currently on the critical 
list. All other failure modes will be analyzed at a future date. 


i terns 


Figure 4-4. 


Failure Modes Not Included In 
Hardware/Softvare Analysis 
9 



SUBSYSTEM AFT - RCS 


HARDWARE/ SOFTWARE ANALYSIS SUMMARY 


FMEA SD72-SH-Q1Q3-2 


ANALYSIS RESULT 

ITEM/ FAILURE MODE 

HARDWARE ACCEPTS RISK 

O 

Helium Tank External Leak (03-2A-201010-1 ) 

Helium Feed Line - External Leakage {03-2A-201 01 3-1 ) 

D„ C. Solenoid Valve, Helium - Fails Closed (03-2A-201 020-1 ) 

Line, Low Pressure Helium - External Leak (03-2A-201 035-1 ) 

Helium Fill Quick Disconnect - Fails Open (03-2A-201 070-1 ) 

Purge Quick Disconnect, Propellant - External Leakage (03-2A-201 080-1 ) 
'Test Quick Disconnect - External Leakage (03-2A-201 090-1 ) 

Feedline and Fittings, Fuel - External Leakage (03r-2A-2021 08-1 ) 
Propellant Fill and Bleed Disconnect - Fails Open (03-2A-202150-1 ) 
Propellant Tank Assembly - External Leak (03-2A-21 1110-1 ) 

Propellant Tank Assembly - Bubbles in Propellant (03-2A-21 1110-2) 
Injection Plate - Restricted Flow ( 03-2A-221 311 -1 ) 


Thrust Chamber - Burn-Thru (03-2A-221 312-1 ) 

Nozzle Extension - Burn-Thru (03-2A-221313-1 ) 

Vernier Thruster - Loss of Output ( 03-2A-231 310-1 ) 
Vernier Thruster - Fails to Stop Firing (03-2A-231310-2) 
Vernier Thruster - Burn-Thru (03-2A-231 31 0-3 ) 


HARDWARE/ SOFTWARE ANALYSIS SUMMARY 


SUBSYSTEM AFT - RCS 

FMEA SD72-SH-0103-2 

' ANALYSIS RESULT 

ITEM/FAILURE MODE 

DETECTION DURING CHECKOUT 

! 

i 

Helium Pressure Regulator - Restricted Flow - Fails Closed (03-2A-201 030-2) 
Helium Quad Check Valve - Fails Closed ( 03-2A-201 095-2) 

Feedline and Fittings, OX - External Leakage (03-2A-2021 09-1 ) 

Tank Isolation Valve, A, C, - Fails Closed (03-2A-2021 1 0-1 ) 

Tank Isolation Valve, A. C. - Fails Closed (03- 2A-2021 10-3) 

Interconnect Valve, A. C. - Fails Closed (03-2A-202111-2) 

Manifold Isolation Valve, A. C. - Fails Closed (03-2A-2021 20-3) 

Manifold Isolation Valve, D. C. - Fails Closed (03-2A-202140-1 ) 

Giinbal Joint - External Leakage (03-2A-21 1 1 20-1 ) 

Bellows Assembly - External Leakage (03-2A-221 308-1 ). 

Engine Inlet Valve - Fails Closed (03-2A-22131 0-4) 




HARDWARE/SOFTWARE ANALYSIS SUMMARY 


FMEA SD72-SH-0103-2 


SUBSYSTEM aft .. 


ANALYSIS RESULT ITEM/FAILURE MODE 

NO SOFTWARE DETECTION Relief Valve - External Leak - Fails Open (03-2A-201 060-4) 


ro 





HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 
SUBSYSTEM AFT - RCS FMEA NUMBER 03-2A-201010-1 

ITEM He Tank FAILURE MODE External Leak 

^ r - - I ““ “ 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES 

0 NO 

□ 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

*YES 

□ NO 

P 

2. 

ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGhT DETECTABILITY? 

YES 

[7] *N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

□ NO 

m 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

*YES 

o 

□ 

m 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE QVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

*YES 

□ no 

m 

5. 

CAN THIS FAILURE MOOE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

*YES 

0 NO 

a 

6. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

*0 0 *lQ 2Q 

7. 

IF CREW ACTION IS REQUIRED TO RESPONO TO THIS FAILURE MOOE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

m QyesQnoQ 

8 . 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS 8E ENGAGED AFTER OCCURRENCE? 

YES 

(Xj*NO 

□ 


B- WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

□ *N0 

m 

*EXPLANATION REQUIRED (SEE BELOW) 





CHANGE /RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3.P NO SOFTWARE OETECTION 5. □ ACCEPTANCE RATIONALE 3EL0W 

2.0 HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. □ RECOMMENOED CHANGES BELOW 


□ FHEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 

1. V42P3110, 3113 (Right AFT) or V42P2110, 2113 (left AFT) He tank transducers will issue 

a class 3 alarm, RM GAX blue light on the crew-cockpit glare shield, upon sensing low 
pressure < 500 psi. Gross leak detection C&W is first indication. 

5. A He tank leak will adversely affect the RCS quantity monitor principal function by 
causing meter M4 (panel 03) "RMS/OMS propellant quantity" to indicate an erroneously 
low percent quantity remaining. This is because He tank pressure is used in the software 
calculation. See FSSR 26 "sequencing", principal function 4.102. 

6. No redundant tanks - loss of RCS function. Crossfeed is available. 

8B. Same as primary. 
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SHUTTLE CRITICAL ITEMS LIST - PRRITSP. 102 


SUBSYSTEM : A FT - REACTION CONTPGL 
ASSEMBLY : PRESSOR IZ AT'I DM 
P/N PI :MC 2 32-0 002-00117-0032 

P/N VENDOR: 3LD-999040-1/- 2 
QUANTITY :4- 

:TKO BOTTLES R.SC? PER 
5 MODULE; OLE PER P'?UP„ IK. 


FHgA NO 03—2 A — 2QlOiO— L - PEV:’l/08/7S 

ABORT : OUT. rUNC: 1 

CR IT . HOW : I 

MISSIONS: HP VF X F r OF SM 
PHASE! S ) : PL X LQ X CD X DO X LS 


REDUNDANCY SCREEN: 
i 


A— N/ A 


B-N/A 


C-N/A 


PREPARED BY: 

OES 

REL 


J TAGGART 
C AKERS 



>c/. BY 1 . 

, .... 


ITEM: TANK 

HELIUM STORAGE, FILAMENT WOUND 
FUNCTION: 


APPROVED BYytNAS^J: 

S$M ‘ 

R 

^ APPROVED WITH CHANGES 
See Section 13-0 


. TC store HELIUM AT A MAX v OP. KING PRESSURE OF 4<1QC PSI FOR 

PRESSURIZATION OF THE AFT RCS MODULE’S PROPELLANT SU°PLY SYSTEM. TANK 
CONSISTS OF DOUBLE MELT TI LINER WITH DUPCNT KEVL A ? 4° FI. TER AND EPOXY 
RESIN BONDING CVERMsiP. T.O. 1$ 13.71 IN. VOLUME IS 30Q8 CU. IN. 
.FAILURE MOOS: STRUCTURAL FAILURE IS) 

. EXTERNAL LEAK 


I CAUSE! S 1 : 

. MAT 1 L DEr, L 
SHOCK, VI3, 

. EFFECT !S): HN 
. ! A 3 LOSS OF 

INABILITY TC 
TPS. { C) MI 
LOSS .OF CREW 
CAUSING DANA 
RETENTION OF 
.0 IS D 0 S I TIGN £L 
. (A) FILAMENT 

LIMITS FMLU 
TENSILE STFE 
INCREASED ST 


I HER OEF, FAULTY FAB, EPOXY CURE IN ACE Or TEST/ HANC-L DAM, 
INADVCR LVERP-.ESS (G*0 ) , IN40SQ MOUNTING 
(A) SUBSYSTEM { 3 IlNTEfl FACES (Cl MISS ION (0) C?SW /VEHICLES 
FUNCTION /SUB SYSTEM !.BJ loss of INTERFACE function - 

05°LETE/UTIl iZE o R0P, POSSIBLE DAMAGE T” POO STRUCTURE 5 
SSTON MOOT? ICUIPN - X-FEED FF CM 0 M S OP PCS. CD) PQSSI3LE 
VEHICLE EXCESS RAT= C-P LEAK NAY EXCEED PCD VENT CAP A3 
GE TO POD STRUCT u DEGRAD OF THERMAL P^OT SYS. EXCESS 
PROP MAY ADVERSELY AFFEC* 5 * VEH DY.\ DUPING ENTRY t L MCG.. 

RAT I CM ALE ! A ) DESIGN ( B ) TEST <C) INSPECTION C0)FAIL«JP£ HISTORY: 
WRUNG TANKS OR c DESIGNED TQ LEAK BEFORE FIJPTUP.E WHICH* 

RE PROPAGATION DUE TO SHRAPNEL. KEVLAR. 49 FT 3 ER HAS A 
NGTH OF BOOKS! ALLOWING LIGHT WEIGHT WITH GREAT STRENGTH. 

RAIN CAPABILITY IS PROVIDED BY THE COMPRESSIVE LOAD CN A 


UNPRESSUR IZEC LINE 0 . VENT OCCRS ARE OPEN ON CR BIT' AND WILL F ELI V E ANY 
PRESSURE BUILDUP DUE TO LEAKAGE .. THE F.S. (8'J t ’ST)'lS 1.5 X WORKING 
PRESS. ( 3 } 1000 PRESSURE CYCLES ARE PERFORMED DUPING QUAL WHICH IS MQRF 
THAN 4 X ANTICIPATED OPER A T ING LIFE. A 90-DAY CREEP TFST UNOER PRESSUPE 
IS ALSO PERFORMED AFTER WHICH THE TANK IS EXAMINED TG VERIFY NO 
PERMANENT DEFCPMAT-I Of) OR C LAW GROWTH. P°UOF PRESSURE !l.LO X WORKING 
PRESSURE) AND LEAKAGE TESTS ARE PtRFOM£o CURING ATP. (C) AN 
IDENT IF ICATI 0” IS PERFORMED AND THE UNIT TAGGED. RAW MAT’ L AND 
PURCHASED COMPONENT RE'JMTS ARE VERIFIED BY DECEIVING INSP. MEASUREMENT 
STANDARDS AND TEST EOUI°. STAMQAROS ARE IMPLEMENTED PER KECMTS OF MIL 
SPECS. THE FOLLOWING ITE-5 ARE VERIFIED C'i SHOP TRAVELER MANDATORY 
INSPECTION POINTS - PARTS PROTECTION, MFG. PROCESSES, FINISHES, ASSY AND 
INSTALLATION. THE FOLLOWING ITE^S WERE VERIFIED BY AUDIT CONDUCTED 
5-23-77 - CORROSION PROTECT ION °ROVISIONS, TEST HANDLING* AND STORAGE 


ORIGINAL PAGE'S 
OF POOR QUALITY 


Q77 is 


s H75-s'n>oo03 



SHUTTLE CRITICAL ITEMS LIST - GRRITER L02 


SUBSYSTEM iAFT - REACTION CONTROL FMEA NO 03-ZA -2QIQI0-L REV: 11/03/ 
ENVIRONMENTS. TENSILE, HEAT TREAT A NO HELD SAMPLES ARE TESTED CURING 
IN-PROCESS FABRICATION IN ADDITION TC X-RAY £ DYE PENETRANT FOR THE 
LINES- WIND PATTERN £ WINCING CCNTRCL APE USED FG C THE KEVLAR FILER 
DURING IN-PRGCSSS MANUFACTURE. WEIGHT CCNTRCL IS USED FCR THE EPOXY' 
RESIN- TURNAROUND - NON £ TOR LEAKAGE TESTS PERFORMED AFT cp INSTALLATION 
INTG THE SYSTEM AND AS PAPT CF THE CHECKOUT PROCEDURE PRIOR TO FLIGHT. 
PRESSURE CYCLES ACCUMULATED ARE ALSO RECORDED. (D) NONE AVAIL ABLE NEW 
DESIGN- ’ 


STS 

[6 


SQ7o “SE-0 003 



SUBSYSTEM AFT - RCS 
ITEM He Feed Line 


- HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

FMEA NUMBER 03-2A-201013-1 

: FAILURE MODE External Leakage 


1 . 


la. 


3. 


3a. 


• 4 . 


6 . 


DOES THE FLIGHT SOFTWARE OETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION III RESPONSE)? 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 


HOW MANY OF THESE HARDWARE FAILURES CAM THE SHUTTLE TOLERATE (COMSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


YES 

□ 

NO 

□ 

*YES 

□ 

HO 

P 

YES 

□ 

*NQ 

a 

YES 

□ 

NO 

a 

*YES 

□ 

NO 

a 

i 

*YES 

□ 

NO 

a 

*YES 

n 

NO 

DET 

*o 0 *1| 

□ ; 

zD 


N/A □YES(X]N0Q 

YES 0}*NO Q 
YES □*NO jjQ 


CHANGE/RETEHTIQN RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. [J] HARDWARE ACCEPTS RISK 


3. D NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5 . □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


0 FMEA CHANGE RECOMMENDED 


EXPLANATI0M/CQMMENT5 : 

1. V42P3110, 3113 (Right AFT) or V42P2110, 2113 (leftAFT) He- Tank transducers will issue 
a class 3 alarm, RM GAX blue light on the. crew-cockpit glare shield, upon sensinq low 
pressure < 500 psi'. Gross leak detection C&W is first indication, 

2. ■ FMEA Change - For "failure detectable in flight" V42P-2110C through 2114C and 3110C 
through 3114C should be V42P2110C, 2112C, 2112C, 2113C, 2114C and 3110C, 3112C, 3113C 
3114C dropping out 2111C and 3111C which do not exist. 

6. Feedlinesare criticality 1 with no remaining success paths. Crossfeed is available. 
8b. Same as primary. 
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SHUTTLE CRITICAL ITEMS LIST - CRCITcP 102 


SUBSYSTEM : AFT - REACTION CONTROL 
ASSEMBLY : ? RE SSUR I2AT ION HELIUM 
P/M RI :MC62l-0Q59 
P/N VENDOR: 73A63000G 
QU AMT IT Y : 4 

:ONE SET PER PROPELLANT 
: PER MODULE 


F MSA NC 03-2A -201012-1 REV: 12/13/73 
ABORT: CRIT. rUNC: t 

CR IT . HOw: 1 

MISSIONS: HF VF X FF OF SM 
PHASE IS ) : PL X LQ X 00 X GO X LS X 


Redundancy screen: ' a-n/a s-n/a c-n/a 


PREPARED 3Y : 

OcS N C GLAVINICH 

REL C M AKERS 


APPROVED„BY 
DES ^ 

PEL £_£.< 



‘/Z/T7 


ITEM: HELIUM FEED LINS 


APPROVED EY 
SSM T j£l±L# 

siwi4 f ._aoja 



^ APPROVED WITH CHANGES 
■ See Section 13.0 


FUNCTION: 

1/2 X .042 304L S.S LINES TC PROVIDE HcL Id M FEFO FRO' 1 HELIUM TANKS TC 
• hELIUM RE5UL4TICN/PRE3SUR IZATICN SYSTEM PA.nEL 
FAILURE MODES STRUCTURAL FAILURE IS) 

RUPTURE* EXTERNAL LEAKAGE 
CAUSE(S): 

MAT * L OEF (SULPHIDE STRINGER), VIS* SHOCK , STRUCT FAIL, FATIGUE, n.rLD 


OEF , STRESS CORPUS, Imp INSTALL. 

EFFECT [ S ) : CN ( A ) SUBSYSTEM { B ) I NTEP.F ACES ICl’MSSlCv { J ) C-.E«- /V=H TCLE: 

(A) LOSS OF SUBSYSTEM PScSSUF iZATt ON CAPA?IL5"Y IF LOT ISOL (FAIL 
UPSTREAM OF rSOL VLV-t MAR T L ITY TO DEPLETE/ UT IL I Z5 P°OP ) . ( S- ) LOSS OF 

INTERFACE FUNCTION (INA2IL TC REPRESS PPCP T A’F'. - °CT = 00 STRUCT C TPS 
DAM, (C) ABORT DECISION { LOSS OF PRFSS) ' { 0 ) POSSIBLE LOSS OF 

CP.ES/ VEHICLE - IF LEAK EXCESS OR PGD/T»S OAF CrruPS 
.DISPOSITION £ RATIONALE (A)OSSIGN ( B ) TEST (C ) I >»S*£CT ION (D)FAILURE HISTORY: 
. (A) F.S . IS 1.5 TO 4.0 MAXIMUM' OPERATING PRESSURE ($Y$T=m RELIEF). 

THE W ELDED CONSTRUCTION 'ELIMINATES JOINTS AND POSSIBLE LEAK PATHS. 

THE ANNEALED AREA (DUE TO WELDING) IS SACKED JP BY- A. SLEEVE. 

FASTENING CLAMPS ALLOW FREEDOM CF MOVEMENT. TUBING BENDS ARE 


CONTROLLED BETWEEN FIXED POINTS TO FACILITATE INSTALLATION AND 
ACCOMMODATE VEHICLE GROWTH AND -MOVEMENT. (3) POCK WELL PERFORMED 
TUBING CERTIFICATION TESTS PER "CR8ITF-R TUBING VERIFICATION 
PLAN" (SD 75— SH— 0205 ) . THIS TESTING INCLUDED PRESSURE CYCLING' AND FOR 
TYPICAL SHUTTLE LIMES £ JOINTS. SYSTEM .EVALUATION TESTS AT WSTF WILL 
ALSO ALLOW EVALUATION IN THE INSTALLED SYSTEM CONDITION. LEAKAGE TESTS 
ARE PERFORMED IN-PRGCES FOR TUBING SECTIONS. OPTICAL INSPECTIONS ARE 
ALSO PERFORMED AT THIS TIMS IN ADDITION TO X-RAY AND OYE PgNSTCANT. 
LEAKAGE TESTS ARE ALSO PERFORMED AFTER INSTALLATION INTO THE SYSTEM AMO 
ADDITIONAL WELCS ARE ALSO SUBJECTED TO NOE . ID AN IDENTIFICATION IS 
PERFORMED AND THE UNIT TAGGED. CQNTAM. CONTROL P c OC£SSES, CO c RGS. 
PROTECTION PROVISIONS. NOE EXAM OF WELDS AND I MSP. FOP SURFACE AND 
SUB-SURFACE DEFECTS IS VERIFIED BY INSPECTION.. THE FCLLCw ING ITEMS ARE 
VERIFIED 8Y SHOP TRAVELLER MANDATORY I NSP. POINTS . RAW w AT f L (LOT 
CERTIFICATION), PARTS PROTECTION, MANUF. , COATING, PLATING, INSULATION 
AND ASSEMBLE OPERATIONS. HARDWARE IS INSP. IN ACCORDANCE WITH QUALITY 
PLANNING REQMTS OOCUMENT (QPRO) WHICH HAS 3ECN- AP°R0V6D EY NASA. 
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SHUTTLE CRITICAL ITEMS LIST - CR SITcR 102 


SUBSYSTEM :A FT - REACTION CCNTRCL FMEA NO 03-2A -20L013-1 REV:12/I3/7S 

TURNAROUND - LINES IN ACCESSIBLE AREAS ARE VISUALLY INSPECTED FOR 
EVIDENCE OF 0 A MAGE AND FLCi-i AND PRESSURE FUNCTIONAL TESTS ARE MONITORED 
FOR EVIDENCE OF OBSTRUCTION OR LEAKAGE*. CO) M I NCR HISTORY - 
.CORROSION/ FAQ PRGSLEMS DETECTED DURING A PC l LG CHECKOUT AND CORRECTED. 



PA8S IS 
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•HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD7Z-SH-0103-2 
SUBSYSTEM AFT - RCS . _ ' FMEA HUMBER 03-2A-201020-1 

ITEM D.C. Solenoid Valve, He FAILURE MODE Fails Closed 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY* 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? - 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la* CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS. OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE QVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? • . 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, .ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


YES 0. NO Q 
*YES 0 NO p 
YES Q *NO 0 
YES P NO [Xj 
*YES Q NO' [Xj 

*YES □ NO (3 
*YES P NO P 

*0 □ *10 zD 
N/A □ YES0NO0 


YES 0*NO- □ 
YES (0*flO 0 


CHANGE/RETENTION RATIONALE SUMMARY 

1. Q NO H/S ISSUES 

2. GD HARDWARE ACCEPTS, RISK 


3. Q NO SOFTWARE DETECTION 
4’. □ DETECTION DURING CHECKOUT 


5. Q ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED* CHANGES BELOW 


See Note 2. 


□"FMEA CHANGE RECOMMENDED 


EXgy NATION /COMMENTS : 


1. Ullage transducer will give C&W alert < 200 psi. 


2. Measurement numbers V42X2124X, 2126X, 3124X, and 3126X (Eu He isolation valves) needs to 
be added for detectabil ity since only the measurement stimulus identification numbers for 
the oxidizer valves are listed now. 
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SHUTTLE CRITICAL ITEMS LIST - CRo ITER 102 


SUBSYSTEM : AFT - REACT £CM CONTROL 


FMEA NO 02— 2 A -20I020-L 


REV : 12/12/ T f 


ASSEMBLY 


1RRESSUR IZAT ION 


P/N RI : M C2 8A--OA 19 -001 1 A-001 Z _ 

P/N VENDORS 73835 
QUANTITY S3 

iTVG VALVES RSQ* 0 FOR 
SH HELIUM' SUPPLY 


ABORT : 

MISSIGNS: 
PHASE! S ) : 


HF 

PL X 


CRIT. FUNC: LR 

CRIT. HOW: 2 

VF X FF CF SM 
LO X CO X OG X LS 


5AC 


i 


P.SOUNCANCY -SCREEN I A-P ASS 8-PASS C-Fil. 


PREPARED 

OES 

REL 


by; 


R BURKHART 
C M- AKERS 


APPROVER BY,:, 
QcSJpfejm: 
REL (LX. 



St/rf 



APPROVE 
SSM 
Rc> 

Ab mMED WITH CHANGES 
ee Section 13.0 


HELIUM ( 1/2"}- 3I-ST43LE. I LA T CHI*J6 - 
LV 20 L/ 20 2/2 03 /ZC^-/ 30 1/ 30 2/ 303/ 304* 


ITEM: VALVE, Q.C. SOLENOID 
OPERATED, HIGH PRESSURE* 

MAGNETIC £ SPRING FORCE 3 

FUNCTION: 

. -UTILIZED TO CONTROL HELIUM PRESSURIZATION SYSTEM IN r F£ AFT MODULES. 

IN THE OPEN POSITION A FLOW PATH IS PROVIDED FRO? 4 THE HELIUM SUPPLY 
TANK ( SI TO THE REGULATORS. TWO PARALLEL PATHS A?E ^CVIOED FC?' EACH 
PROPELLANT TANK. ONE PATH IS NORMALLY 0°5N PER TANK. OPEN VALVE 

MAY BE CLOSED AND THE PARALLEL VALVE CPS-lEC SUBSEQUENT TC A DOWNSTREAM 
FAILURE. 

.FAILURE MGD5: PAILS CLOSED f P) 


.CAUSE(S): 

VIB CONTINUOUS INACVSR CLOSING SIGNAL OUc TO SHORT CIRCUIT, SHOCK, 

’ CONNECTOR PIN OR DIODE DAMAGE, JAMMING OF PUPPET, ^LUGGED ORIFICE. 
.EFFECT! S): ON {A} SUBSYSTEM { B 3 INTERFACES (OMISSION !D 3 OTSW/VEH ICLE: 

. ( A ) LOSS OF REDUNDANCY - PARALLEL PATH AVAILABLE. (33 NO EFFEC 7 * 

(C) A3GRT DECISION - DUE TO ONLY ONE PATH REMAINING ?*ICR TG CRITICAL 
EFFECT. { 0 J NO 'EFFECT . CS) - FUNCTIONAL CRITICALITY EFFECT — °GSSIBLE 

CREW VEHICLE LOSS - FAILURE OF REDUNDANT PARALLEL FLOW PATH WCULD 
RESULT IN INABILITY TG 3UPM OR DEPLETE RCS PROPELLANT. THIS MOULD 
RESULT IN POSSIBLE INABILITY TO CONTROL VEHICLE DURING ENTRY DUE TO 
IN48ILITY TO USc RESERVED ENTRY PROPELLANT GR C.G. PROBLEMS RESULTING 
FROM PROPELLANT WEIGHT. 

.DISPOSITION £ RATIONALE (A)OESIGN ! B 3 TEST (C) INSPECTION ! D J F AILUP- E H I STOP Y : 
. CA) PARALLEL VALVES ANO REDUNDANT POWER SOURCES ARE PROVIDED.. ULLAGE 
PRESS IS ADEQ FOR PROP FEED WITH' LESS THAN 35 PERCENT PP.CP REMAINING. 

ONE VALVE IS MAINTAINED IN THE LATCHED OPEN POSITION WITH NO POWER 

APPLIED £ THE OTHER IS LATCHED CLOSED- AN INDUCTIVE VOLTAGE SUPPRESSION 

CIRCUIT IS PROV IN THE ELECTRICAL SYSTEM TQ PREVENT DAMAGE TG GTHER 
GN-LINE COMP. . REGUN OIOOSS LIMIT THE POSS OF 'DIODE FAILURE ALLOWING 
CURRENT! SHUNT 'FROM THE COIL. A 100-MICRGN FILTER IS PROV TO LIMIT THE 

POSS OF CONTAM CAUSING LEAKAGE, JAMMING MOVING 0 ARTS - OR PLUGGING PILOT 

CONTROL ORIFICES. TC LIMIT THE ELECT SHORT POTENTIAL, THE LEAD ANO 
MAGNET WIRES ARE ENCAP BY POTTING AND A FIXTURE IS USED DURING ASSEMBLY 
TO ENSURE THAT INSUL IS NOT DAMAGED 3Y THE EXIT NOTCH WHEN THE COIL 
SLEEVE IS PRESSED ONTO THE COIL. (B) AQOO OPtR CYCLES ! ON-OFF-FLCW 3 AND 
RANDOM VIB AT ANTIC MISSION LEVELS ARE PERF DURING DUAL. ITEM IS- USED 
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SHUTTLE CRITICAL ITEMS LIST 


- OR 5 1 TER 102 


SUBSYSTEM : AFT - REACTION CONTROL FMEA NO 03-24 -2GL02D-1 REVS'L2/12/7 

DURING SYS EVAL TESTS AT »STF ALLOWING EVAL UNDER 5 1 MU L MISSION USAGE 
CONO. PROOF PRESSURE, LEAKAGE, OPER AND INSUL TESTS ARE p ERF DURING 
ATP. APRQP LOCATED TEST POINTS ALLOW PRE/ a QST FLIGHT LEAKAGE TESTS AND 
OPER TESTS ARE ALSO CONDUCTED AT THIS TIME. CO AN I DENT IS PERF AND 
THE UNIT TAGGED. CGNT AM CO NT PROCESS, CQRRGS. PROT PROV, NOS EXAM. OF 
WELDS AND BRAZES, INSP. FOR SURFACE AND SUBSURFACE DEFECTS AND PROPER 
ELECT TERMINATIONS APE VERIF 3Y iNSP. THE FOLLOWING ITEMS ARE VERIF BY 
SHOP TRAVELER MANDATORY INSP. POINTS - R 4^ «4T»L (LOT CERT), "ARTS PRGT, 
MANUF., COATING, PLATING INSTALL 4N0 ASSEMBLY CPE?. THE ABOVE ITEMS AND 
THE FOLL ITEMS WERE VERIF BY AUDIT CONO B-3I-77. CQ f 4 T AM C0N7 
PROCESSES, CQRROS. PRGT °ROV. TURNAROUND - FUNCT FLOW TESTS ARF 
MONITORED TO VERIFY THaT VALVES C 5 HN AND CLOSE PROPS 6 LY UPON COMMAND. 

CD) APOLLO FAILURES WERE MAINLY ASSOC WITH REVERSE °DLAR TTY A'lO 
DEGAUSSING OF MAGNETS. THE ShUTTLE VALVE UTILIZES A CONNECT OR (RATHER 
THAN LEAD WIRES) AND BLOCKING DIODE WHICH °R EVENTS THIS T YPE CF E-ROR 
DURING CONN. 4 PCTE.NT ELECT SHORTING PRO?. OK 1 SIMILAR VALVE CUE TO . 
INSUL DAMAGE WAS DISCGV DURING OUAL AND CC D R 43 DESCRIBED IN ITEM ( A) • 
ABOVE. 


25 

1.001 


SD75-SH-0003 



HARDWARE/SOFTWARE ANAL.YSIS CHECKLIST SD72-SH-0103-2 

SUBSYSTEM AFT - RCS FMEA NUMBER n3-?A-7mfnO-? 

ITEM He Pressure Regulator FAILURE MODE Restricted Flow - Fail 1 ; Cl nspri 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES- 

HI M 

□ 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

*Y£S 

□ NO 

P 

2. 

ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

[xj *N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COM! IAN DING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

□ NO 

E3 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

*Y£S 

® NO 

□ 

4. 

AS A RESULT OF THIS FAILURE MOQE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

*YES 

□ NO 

0 

5. 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

*YES 

□ NO 

D 

6. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

*o □ 

1 *iQ ?□ 

7. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

N/A QyESOInoU 

8. 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

yes 

0*NO 

□ 


B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

0*NO 

□ 

*EXPLANATIGN REQUIRED (SEE BELOW) ' 





CHANGc/RETENTIOH RATIONALE SUMMARY 

!.□ NO H/S ISSUES 3. D NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE 8ELOW 

2. □ HARDWARE ACCEPTS RISK 4. CS DETECTION DURING CHECKOUT 6. QrECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 

EXPLANATION/ COMMENTS : 

1. Ullage transducer will give C&W alert < 200 psi. 

3A. Software could provide automatic switchover to parallel leg - ., 

6. 1 success path remaining after first failure. 

7. Cathode-ray -tube and downlist is available. 
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SHUTTLE CRITICAL ITEMS LIST - CRB ITER 102 


SUBSYSTEM : AFT - REACTION CONTROL 
.ASSEMBLY iPPESSURIZATICN 
P/MR I 2 MC 2 84— 0 A 1 3 -0001 /-GQG2 

P/M VENDOR: T433<3CQL 
QUANTITY :3 

:TWO PARALLEL* DUAL 
IST&GE UNITS PER T ANK 


FMEA NO 03-2 A -201030-2 


REV: 11/0 3 


ABORT: 

.MISSIONS: 
PHASE ( S 3 : 


HF 

PL 


VF 

LO 


CRIT. FU'iC: l-> 

CRIT . HO*: 2 

FF 3F SM 
CC X UC X LS 


REDUNDANCV^CSEEM: A-PASS E-PASS C- 3 


PREPARED BY: 

OES 

REL 


J. TAGGART 

C M AKERS' 


i 


APPRjOUcD JSYij^ / 

a e.s 

REL 




PROVED WITH CHANG ES 
See Section 13.0 
CPP 


ITEM; REGULATOR PRESS* HE 

SERIES REDUNDANT. SET AT UNEQUAL OUTLET PRESSURES 
30 1/302/303/ 30 4) . 

FUNCTION: 

TO REGULATE STORED HELIUM PRESSURE FRC-M 4CC-C PS IS MAX TO ULLAGE 
'■ PRESSURE OF 245 (+ OR - 3) PS [G FOR PURPOSE OF PROPELLANT FEED TO 
THRUSTERS. TWO PARALLEL PATHS VI^H TWO SERIES PEGS APE P c CVIDEO FOP 


:7 11 
CFi 


°SI LOWER THAN SECONDARY, 


EACH PROPELLANT TANK. PRIMARY ELEMENT 
.FAILURE MOOS: FAILS CLOSED 

. RESTRICTED ?Uh 
•CAUSE! S ) : 

. CONTA.M (PILGT SCREEN 3 * FROZEN MOIST, S?RT’.G/ST?m FRACTURE* PIS' 
BINDS, EXCESS DOME PRESS, COCKED SPRINGS* 'MT»l OET. 

. EFFECT! S } : ON ( A 5 SUBSYSTEM { B > r MTc»F ACES (Ci-'ISSICN ( >J ) CRSW/VEH ICLE: 


N 


(A, 81 LOSS OF REDUNDANCY (ONE OF 2 FLOW PAThSI. 


(Cl ABCRT CECISIC.N. 


1 01 NO EFFECT UNLESS SECOND PATH FATLS CLOSED, REENTRY CAP A3 IS LOST IF 
FAILURE OCCURS EARLY IN ENTRY SUCH THAT ULLAGE P°E3S IS N0 T SUFF. 

(E) FUNCTIONAL CRITICALITY EFFECT - POSSIBLE CREW/ VEHICLE LOSS. FAILUR 
• OF REQUNOANT PARALLEL FLOW PATH WOULQ RESULT IN INABILITY TC BURN GP. 
DEPLETE RCS PROPELLANT. THIS WOULD RESULT IN POSSIBLE INABILITY TG 
CONTROL VEHICLE OURING ENTRY DUE TO INABILITY TO USE RESERVED ENTRY 
PROPELLANT OR C.6. PROBLEMS RESULTING FROM PROPELLANT WEIGHT.. 

-DISPOSITION £ RATIONALE { A ) DESIGN { B3TE3T (C 3 I MS D ECTION (D)FAILUPE HISTO 3 

. (4) PARALLEL REGULATORS ARE PROVIDED- ULLAGE PRESS IS ACEG FOR PROP FE 

WITH LESS THAN 35 PERCENT PROP REMAINING. A 25-MICRON AES GSP PLUS 
10— MI CRON ABS GBR PILOT FILTER IS PRQV TO LIMIT THE POSSIBILITY OF 
CCNTAM CAUSING JAMMING OF MOVING PARTS OR PLUGGING PILOT CONTROL 
ORIFICES. (81 50*000 QPER FLOW CYCLES AMO P AMO CM VIB AT ANTIC MISSION 
LEVELS ARE PERFORMED DURING CUAL. ITEM IS USED OURING SYS EVAL TESTS A 
WSTF ALLOWING EVAL UNDER SIMUL MISSION USAGE CGNO. PROOF PRESS* LE4KAC- 
-ANO FLOW TESTING IS PERFORMED OURING ATP. FUNCT AND LEAKAGE TESTS APS 
PERFORMED CURING PRE/POST FLIGHT CHECKOUT. (C3 AN ID IS PERF AND THE 
UNIT TAGGED., MAT »L £ EQUIP CONFORMANCE TO CONTRACT REQMTS IS VEPIF SY 
INSP. THE FULL ITEMS ARE VERIF BY SHOP TRAVELER MANDATORY INSP POINTS 
RAW HAT'L* PARTS PROTECTION* MANUF* COATING* PLATING* INSTALL AND ASSY 
OPERATIONS— THE A80VE ITEMS AND THE POLL ITEMS WERE VERIF 3Y AUDIT 
.CONDUCTED 4-5-77 - CONTAH CONT PROCESSES AND CORROS PPOT PROV, CON TAM 
CONT PLAN. PROPERLY MONITORED HANDLING AND STORAGE EN V TR . THE FOLLOW I N 
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SHUTTLE CRITICAL ITEMS LIST - GR3I T ER 1C2 


SUBSYSTEM : APT - REACTICN CG.NTFGL FMEA MO 02-ZA -20103C-2 PEVUL/OS/T 
ITEMS WERE VERIFIED EV AUDIT GF MARCH 6, 1=75. I?4S°=CTICfc VERIFIES 
ASSEMBLY PER INSPECT IGN PCI MTS IN MASTER RECORD. LOG CF CLEAN RCGM AND 
CALIBRATION GF TOOLS- VER I FI ED. CRITICAL 01 MENS I CM LOO? Vz°lflED 0 Y 
INSPECTION. PARTS CLEANLINESS AND PASSIVATION BY INSPECTION. NDE 
INSPECTION PERFORMED APT HR- ASSEMBLY. TURNAROUND - -UNCT FLOW TESTS ARE 
MONITORED TO VERIFY THAT THERE IS MO RESTRICTED FLOW. (C5 NC FAILURE 
HISTORY OF THIS MGOE FOR THIS REGULATOR. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 
SUBSYSTEM AFT -RCS FMEA NUMBER 03-2A-201 035-1 

ITEM Line, Low Pressure He : FAILURE MODE' Fxtprnal I a 

1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (l.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA. EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER' BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? • ■ 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY -AFFECT 
. OTHER FUNCTIONS? 

6. HOW MANY .OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HAROWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO- SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE 8FS BE ENGAGED AFTER OCCURRENCE? 

3. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATION REQUIRED (SEE BELOW) 


3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

4. □ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


□ FMEA. CHANGE RECOMMENDED 



1. Ullage transducer will give C&W alert < 200 psi. Gross leak detection will give 
first indication,. . 


3A. The helium insolation valves could be automatically closed by software upon 
sensing a caution and warning low pressure of 200 psi. 

6. Initiate cross-feed function. 

7. Caution and warning low pressure light - “Right RCS" - cathode-ray tube and down- 
link available. 

8B. Same as primary. 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. 0 HARDWARE ACCEPTS RISK 


YES C0*NO □ 
YES Q*NO n 


YES 0 NO □ 
*YES Q NO p 
YES 0*NO Q 
YES □ NO 0 
*YES 0 NO □ 

*YES □ ‘NO- (Tj 
*YES □ NO (TJ 
*0 □ * 1(3 2 Q 

M/A DyesSnoP 
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SHUTTLE CRITICAL ITEMS LIST - CRSITER 102 


SUBSYSTEM : AFT - REACTION CCNTRGL 
ASSEMBLY : PRESSURIZATION 
P/N RI i MC6 21—0059 
P/N VENOGRJ 73A630000 
QUANTITY 1 4 

: ONE SET PER PROPELLANT 
: PER MODULE 


FMEA NO 03— 2 A -20 1035-1 
ABORT: CRIT. 

CP IT. 


MISSIONS: HP VF X FF 

PHASEtS) : PU □ X CC X 


REV: 1 1/03/78 
FUNC: I 

HOw : 1 

OF SM 
OC X LS X • 


iREOUNOANCY SCREEN: A—' ‘I/A . S-N/A C-N/A 


PREPARED 3YS 

DE3 N C GLAVINICH 

REL C M AKERS 


APPROVED BYi^ 

DE S 

PEL 


ITEM: LINE* LOW- PRESSURE HE. 

FEED LINE t 3/^'’ 1 
FUNCTIGN: 



APPROVED^ BY .UttSA}: 

SSM 

U approved with changes 

See Section ia.O 7 


. 3/ A- X .020 30LL S .S LINES TQ PRGVTDE nEL CUM FEED FROM REGULATORS TO 
PROP TANK. 

FAILURE MODE: STRUCTURAL FAILURE (S) 


RUPTUREt EXTERNAL LEAKAGE. 

CAUS Ei S ) : 

MECHANICAL SHOCK, V IBP. AT ION /F ATI GUE, IMPROPER INS” ALL A r I n\> {WELD). 
STRESS CORROS, M4 T*l DEFICIENCY ISULPHIOE STPINGE-) 

EFFECT IS): ON (A)SUSSYSTSM ( 3 ) INTERFACES (OMISSION l Q1 CPEV/VEH 1CLE: 
(A) LOSS OF SUBSYSTEM HELIUM SUPPLY. INABILITY 70 QEPLET2/U T IL IZE 
PROPELLANT. IB! LOSS OF IMtcp,facE HJhC T T ON INAPT LI T Y T n PSPRSSSUPE 
PROP TANK-POTENT POO STRUCTURE £ TPS DAMAGE. (Cl POTENTIAL LOSS OF 
MISSION OR EARLY MISSION T =PMINATIOM. (01 POTENTIAL LOSS OF 


CREW/VEHICLE IF GROSS LEAK OCCURS OR TPS DAMAGE OCCURS PRECLUDING SAFE 
ENTRY. 

.DISPOSITION £ RATIONALE IA10ESIGN 1 3 1 TEST (C ) I NSPECT ION (D)FAILURE HISTORY: 

. (A) F.S. IS 1.5 TO 4.0 'MAXIMUM OPERATING PRESSURE (SYSTEM RELIEF!. 

THE V) ELOED CONSTRUCTION ELIMINATES JOINTS AND POSS I3LE LEAK PATHS. 

THE ANNEALED AREA (DUE TO WELDING) IS SACKED UP BY A SLEEVE. FASTENING 
CLAMPS ALL GW FREEDOM OF MOVEMENT. TUBING SENDS ARE CONTROLLED 
BETWEEN FIXED POINTS TO FACILITATE INSTALLATION AND ACCOMMODATE 
VEHICLE GROWTH AND MOVEMENT. (B! ROCKWELL PERFORMED TUSING 
CERTIFICATION TESTS PER "CRSITER TUBING VERIFICATION PLAN" 

C SDT5— SH-020 5) . THIS TESTING IMCLUOED PRESSURE CYCLING AMD FATIGUE FOR 
TYPICAL 5HUTTLE LINES £ JOINTS.- SYSTEM EVALUATION TESTS AT WSTF WILL 
ALSO ALLOW EVALUATION IN THE INSTALLED SYSTEM CONDITION. LEAKAGE TESTS 
ARE PERFORMED IN-PROCESS FOR TUBING SECTIONS. OPTICAL INSPECTIONS ARE 
ALSO PERFORMED AT THIS TIME IN AODITION TO X-RAY AND DYE PENETRANT. 
LEAKAGE TESTS ARE ALSO PERFGRMED AFTE C INSTALLATION INTG THE SYSTE?* AND 
ADDITIONAL WELDS ARE ALSO SUBJECTED TO NDE. (C) AN IDENTIFICATION IS 
PERFORMED AND THE UNIT TAGGED. CONTAM. CONTROL PROCESSES, CGKRQS. 
PROTECTION PROVISIONS, NDE EXAM OF WELDS AND IN3P. FOR SURFACE AND 
SU8— SURFACE DEFECTS IS VERIFIED 3Y‘ INSPECTION. THE FOLLOWING ITEMS AFE 
VERIFIED BY SHOP TRAVELER MANDATORY IMSP. POINTS, RAW MAT 1 L (LOT 
CERTIFICATION), PARTS PROTECTION, MANUF., COATING, PLATING, INSTALLATION 
ANO ASSEMBLY OPERATIONS. HARDWARE IS INSP. IN ACCORDANCE WITH QUALITY 
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SHUTTLE CRITICAL ITEMS LIST - ORB ITER 1C2 


SUBSYSTEM : AFT - REACTION CONTROL FHEA NG 03-2A -201035-1 R EVi 1 1/CS/T 

PLANNING REOMITS DOCUMENT (CPRO) WHICH HAS SEEN APPROVED 3Y NASA. 
TURNAROUND. LINES IN ACCESSIBLE AREAS ARE VISUALLY INSPECTED FGR 
EVIDENCE OF DAMAGE AND FLOW AND PR ESSURE FUNCT ICNAL TESTS ARE MONITORED 
FOR EVIOENCE OF OBSTRUCTION' OR LEAKAGE. ID) MINOR HISTORY - 
CORROSION/ F48 PROBLEMS DETECTED QURING APQLLC CHECKOUT AND CORRECTED. 
HISTORY - C0RR0SIGN/FA3 PRG8LEHS DETECTED DURING APPOLLC CHECKOUT AND 
CORRECTED. 
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5. 


6 . 


SUBSYSTEM AFT - RCS 
ITEM Relief Valve 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 
FHEA NUMBER 03-2A-201 060-4 


failure mqoe Exter nal L ea k - Fail s Op en 


l. 


la. 


2 ... 


3. 


3a * 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR. TAKE ACTION IH RESPONSE)? 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

ARE THE' ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH. THE FHEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS. 
FAILURE .MODE (EITHER BY COMMANDING HARDWARE ACTION. OR IMPLEMENTING ALTERNATE - 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN. THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 


HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE- TOLERATE (CONSIDER- CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY-. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUE5 PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO- EITHER 1 OR 3 IS YES: 

A. CAN THE 8FS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

‘EXPLANATION REQUIRED (StE BELOW) 


YES 

m 

NO 

□ 

*YES 

s 

NO 

□ 

YES 

m. 

*N0 

□ 

YES 

□ 

NO 

□ 

‘YES 

□ 

NO 

0 

*YE5 

□ 

NO 

0 

*YE5 

0 

NO 

■tn 

*0 □ *lj 

3 

zD 


N/A □YESQNOQ 


YES- 0*NO □ 

YES. (Tj*NO Q 


CHANGE/RETENTION RATIONALE SUMMARY 

1. Q NO- H/S ISSUES 

2. jJJ HARDWARE ACCEPTS RISK 


3: P NO SOFTWARE DETECTION 

4. C3 DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. Q RECOMMENDED- CHANGES BELOW 


□ FHEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS : 

1. Gross leak detection will give first indication. 

la. Measurements ' V42P21 -1 5, 2116, 3115, and. 3116 provide propeTTant tank ullage pressure 
signals from transducers. 

! 6. Left and right AFT RCS pods provide redundancy. 

: 




SHUTTLE CRITICAL ITEMS LIST - CR8ITER 102 

1 


SUBSYSTEM :AFT — REACTIGN CONTROL 
.ASSEMBLY iPRS.SSURI ZAT ION- 
„P/N RI IMC284— Q421-G001/— 0002 

.P/N VENnOR;. 5760009 -101 /576 -0009-1 02 
.QUANTITY . S4 

„ 5 ONE PER PROPELLANT TANK 


FMSA MO 03- 2A -201060-V REVJ12/1A/7P 
ABORT: CRIT. FUNC: 1R 

CRIT. HDW : 2 

MISSIONS: HP. VF X FF OF SM 
PHASE(S): PL LQ X CO X. OQ X LS 


.PREPARED 
.OES . 
.REL 


t. REDUNDANCY SCREEN: 

BY: . APPRGVEOlBY: . 

R. GONZALEZ OSS 

C M AKERS REL C ' 


• ITEHT. valve 

. RELIEF* PRESSURE, BURST DISC £ POPPET... 


A-PASS 8-FAIL C-PASS 
APPROVED BY/ (NASA):// 

R £ Wf . . . 
APPROVED WITH CHANGES 
See- Section 13.0 


.FUNCTION: 

. PROVIOES PRESSURE RELIEF IN EVENT REGULATOR FAILS OPEN OR PROPELLANT 
PRESSURE RISES DUE TO THERMAL INCREASE. THE S.S. BURST DISC RELIEF 
PRESSURE IS 324-340 PSIG. THE MAIN POPPET CRACK AMO RELIEF' PRESSURE IS 
■ 315 PSIG AND THE MINIMUM RESEAT PRESSURE IS 3tQ PS I.. AMBIENT PRESSURE 

SENSING INTERNAL IS PROVIDED SINCE THE VALVE CUTLET IS SU3JECTE0 TO 
3 ACK— PRESSURE. 

.FAILURE MODE: EXTERNAL LEAK '£F3 

. FAILS OPEN, MAIN- -POPPET OR DIAPHRAGM LEAKS OR MAIM POPPET DOES NOT 
RESEAT AS REQ* 0 AFTER BURST 01 SC RUPTURE. 

.CAUSE(S): ' 

.. CORROSION. CONTAMINATION, POPPET BINDS IN GUIDE, SPRING SPEAKS CR COCKS, 
SEAT CRACKS,- MOISTURE FREEZES, VIBRATION, SHOCK. 

.EFFECT! Si: ON ( A} SUBSYSTEM (8 } INTERFACES {OMISSION ( QICREWVEH CCLE: 

.. {A) LOSS OF SU8SYTEM PRESSURIZATION., (33 LOSS OF INTERFACE FUNCTION 

(INABILITY TO RE-PRESSURI2E. PROPELLANT TANKS CUE TO HELIUM LOSS). 

POSSIBLE INABILITY TO USE/OEPLETE PROPELLANT. • { C3 LOSS CF ENTRY 
CAPABILITY - ASSUMES ULLAGE PRESSURE IS ALSO VENTED CV5RBOARO £ PROP 
CANNOT BE DEPLETED. (2 FAILURES - FIRST IS RELIEF' REG* MT) «. ABORT 
DECISION IF LEAK RATE IS SMALL. ( DJ NO EFFECT {FIRST FAILURE. (6) 
FUNCTIONAL CRITICALITY EFFECT - POSSIBLE LOSS OF CREW VEHICLE - SEE 
ITEM (C) ABOVE. PROP IN ONE POO KAY NOT BE ADEQUATE FOR ENTRY. POSS 
ENTRY CONTROL £ LANDING HAZARQ, LC.G. J IF PROP CANNOT BE DEPLETED PRIOR 
TO LANDING.. 

.DISPOSITION £ RATIONALE (A)DESIGN { 3> TEST (C) INSPECTION { D ) FAILURE HISTORY: 

. (A) THE 8URST DISC IS REDUNDANT TO' THE MAIN POPPET FOR THE EXTERNAL 

LEAKAGE MODE- (MAIN POPPET LEAKAGE 'WOULD NOT BE SENSED UNTIL AFTER . 
BURST DISC ACTUATION OR FAILURE). A 25r-MICRCN FILTER DOWNSTREAM OF THE 
BURST OISC WILL REDUCE THE POTENTIAL FOR CONTAMINATION CAUSED LEAKAGE 
FAILURE. THE HELIUM ISOLATION VALVE ’COULD BE CLOSED DURING STATIC 
PER 10 OS* THIS WOULD PREVENT CONTINUING LO’SS OF SOURCE PRESSURE. THE' 
MAIN POPPET STEM IS A’ SEPARATE PIECE FROM THE MAIN SENSING SPRING 
ACTUATION MECHANISM. THIS PROVIDES CLOSE TOLERANCE CONTROL OF OPENING 
PRESSURE £ ALLOWS THE POPPET TO SEAT INOEP ENOENTLY OF THE LARGE SENSOR 
SPRING FORCE.- (B) 36, QOQ PRESSURE EXCURSION CYCLES AT SYSTEM OPERATING 


3.004 

35 


SD75-SH -0003 



SHUTTLE CRITICAL ITEMS LIST - ORB ITER 102 


SUBSYSTEM : A FT - REACTION. CONTROL FMEA NO 03-zA -201060-4 REV: 12/14/7 
' PRESSURE AND 400 PRESSURE RELIEF CYCLES ARE CONDUCTED DURING QUAL. 

1C) AN IDENTIFICATION IS PERFORMED CONTAMINATION CONTROL PROCESS , 
CONTAMINATION CONTROL PLAN, CQRRGS, PROTECTION PROVISION, NOE EXAM OF 
WELDS, INS P FOR SURFACE AND SUSSURFACE DEFECTS, PROPERLY MDNI T 0R6Q 
HANDLING AND STORAGE ENVIRONMENT, ANO MAT * L ANO EQUIP, CONFORMANCE TO 
CONTRACT REQMTS. ARE VERIFIED 3Y INSP. THE FOLLCWING ITEMS A P E VERIFIED 
BY SHOP TRAVELER MANDATORY INSP POINTS-RAW MAT 1 , ( LOT CERTIFICATION) , 
PARTS PROTECTION, MANUF. , COATING, PLATING, INSTALLATION ANO ASSY 
OPERATIONS, TURNAROUND - LEAKAGE TESTS ARE MONITORED TO VERIF. THAT THE 
BURST DISC IS STILL INTACT AND THAT THE MAIN POPPET LEA-K RATE IS WITHIN 
SPECIFICATION REQMTS. VISUAL INSP FOR EVIDENCE CF Dc TE RI CRAT IGN IS ALSO 
PERFORMED, (D) APOLLO FAILURES WERE DG LARGELY TO GALVANIC CGRRCS. £ 
CONTAMINATION CORRECTED BY DESIGN £ TEST PROCESSING CHANGES. {ThE 
SHUTTLE RELIEF VALVE IS A NEW DESIGN WHICH CONTAINS A FILTER £ DOES NOT 
USE DISSIMILAR- METALS). 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

FHEA HUMBER Q3-2A-2Q1 070-1 

He Fill Quick Disconnect FAILURE MODE' Fails Open 


SUBSYSTEM AFT - RCS 
ITEM 


I. 


la. 


3. 


3a. 


5. 


6. 


7. 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e. , AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

IF HOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FHEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

DOES- THE FLIGHT SOFTWARE TALE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
{EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

CAN THIS FAILURE MODE, IN COMBINATION' WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FHEA CRITICALITY. 


IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES' PROVIOEO 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES 

m 

NO 

□ 

*YES 

□ 

NO 

P 

YES 

□ 

♦NO 

□ 

YES 

□ 

NO 

0 

♦YES 

□ 

NO 

0 

i 

♦YES' 

□ 

NO 

0 

♦YES 

□ 

NO 

Ef 


*0 □ *lQQ ?□ 

n/a QyesQhoQ 


YES (Xj*NO □ 
YES GO*HO Q 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2.0 HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. Q RECOMMENDED CHANGES BELOW 


In-Flight detectability 

0 FMEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS : 

1. Gross leak detection will give first indication. 

6. Capped quick disconnect provides one redundant success path. 

Pod Redundancy 
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SHUTTLE CRITICAL ITEMS LIST - CR3ITER 102 


SUBSYSTEM :A FT - REACTION CONTROL 
ASSEMBLY : P P.ESSUR IZATIGN 
P/N RI :MC2 76— 0 C17— Q402/— 0403 
P/N VENCOR: 75372 OCC-040L/-G403 
QUANTITY 

: ONE PER HELIUM TANK PER 
:POO 


FMEA MG 03-2A -201070-1 


REV: 12/12/78 


ABORT: 

MISSIONS: 
PHASE(S) : 


HF 

PL 


VF X 
LO X 


CR IT. FUNC: ] 

CP. IT. HOW: : 

FF OF SM 
CC X DO X LS X 


REDUNDANCY SCREEN: A-N/A B-M/A C-N/A 


PREPARED 

DES 

REL 


BY: 


C SCARLETT 
C M AKERS 


APPROVED 
C“S H, 
PEL 




APPROVE 
SSM , 



— 

WtoOVED WITH CHANGES 


See Section 13.0 


AND STRUCTURAL END CAP. 


219/220 

ZP Er AT IONS 
-ANEL . 


ITEM: disconnect, quick, fill.h? 

{ 1/ 4** ) WITH spring loaded poppet 

FUNCTION: 

PROVIDE HELIUM TANK FILL AND VENT PC I. NT FOR G»CUND SERVICING 

• AND LOADING. COUPLING IS ACCESSIBLE AT THE HELIUM SERVICING 

FAILURE MODE: FAILS OPEN' IS) 

EXCESS OF ACCEPTABLE RATE, SEALS DAMAGED. 

CAUSE(S): 

CONTAMINATION, VIBRATION, MECHANICAL SHGC.K, PIECE-FART STRUCTURAL 
FAILURE, EXCESS OR I^P^OPE-. USE, INADFC S: [NT UP GSE HALF, NC LINE 
SUP°CRT - SHAFT OR 50 c E BENT. RETAINING C*? LOCSENS NEGATING CA» SEAL 
REDUNDANCY. 

EFF'ECTIS): ON { A ) SUBSYSTEM t *» ) INT5RFAC ES {C) M ISSIGN (0 ) CP EVi/ VE U I C LE: 

(A) LCSS OF SUB- SYSTEM PRESSU-R 1 2 ATI CN (-3) LOSS OF INTER F AC5 FUNCTION 
(INABILITY TO E PRES SUP I ZE PROPELLANT ' TANKS CUE TO HELIUM LOSS). (C) 
LAUNCH DELAY OP ABORT. {01 POTENTIAL CPE'* LOSS TURING MI SION IF ' 
oRuPELLANT CANNOT 3E UTILIZED CR DEPLETED. 

DISPOSITION £ RATIONALE (A)CESIGN t3)T£ST (C ) INSPECTION ( D ) FAILURE HISTORY: 
(A) F.S. IS 2-0 X WORKING PRESS. ULLAGE PRESS IS ADEO TO EXPEL PROP 
WITH 35 PERCENT OR LESS REMAINING. GRGUND HALF COUPLINGS AND LINES ARE 
SUPPORTED TO LIMIT ANY UNCJE STRESS ON THE COUPLING DURING SEPVICE AND 
PRPV DAMAGE TO SEALS. A SAFETY FEATURE OUTING SERVICING AND ORICR TO 
REMOVAL OF THE END CAP IS A PROV WHEREBY ANY LEAKAGE PAST T HE AIRBORNE 
.POPPET SEAL CAN BE VENTED OVERBOARD BY ROTATING A 3L.EE0 SCREW . COMPLETE 
STRESS ANAL HAS SEEN CONDUCTED. UTIL OF STRUCT ‘CAP MINIMIZES LEAKAGE 
POTENTIAL AND PROVIDES A RHOUN SEAL EXCEPT FOR STRUCT FAILURE. C B ) THE 
COUPLING IS SUB TO 600 OPERATIONAL CYCLES (COUPLING AND UNCOUPLING) 

DURING QUAL. RANDOM VIB TESTING IS ALSO CONDUCTED AT ANTIC VSH LEVELS 
FOR 48 MINUTES IN TWO AXES. USAGE DURING SY'S 5VAL TESTS AT WSTF ALLOWS 
EVAL UNDER ACTUAL USAGE CON. PROOF PRESS TESTS ARE CONDUCTED DURING ATP 
AND LEAKAGE TESTS ARE PSP-F BEFORE AND AF T ER CPER CYCLES. (C) AN ICENT 
IS PERF. RAW MAT 'L , NOE EXAM, VISUAL INS? FCR CRITICAL SURFACE DEFECTS, 
AND EQUIP CONFORMANCE TO CONTRACT REQ.MTS ‘ 4?£ VcRIF 3Y RECEIVING INSP. 
MEASUREMENT STANDARDS AND TEST EQUIP. STANDARDS ARE IMPLEMENTED PER 
REQMTS OF MIL SPEC. THE FOLLOWING ITEMS ARE VERIF BY SHOP TRAVELER 
MANDATORY INSP POINTS- PARTS MFS. PROCESSES, COATING, ASSY A.NO 
INSTALLATION. THE ABOVE ITEMS AND THE FOLLOW T NG ITEMS WERE VERIFIED BY 
AUDIT CONDUCTED 5-23-77. CORRQS PROT PROV, CO NT AM CCNT PROCESSES, TFST 
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SHUTTLE CRITICAL ITEMS LIST - CR.3ITSR 102 


SUBSYSTEM t AFT - REACTION CONTROL FMEA NO 03-2A -201070-i REV:I2/I2/7£ 

HANDLING* ANC STORAGE 6NVIR. THE FOLLOWING ITEMS WERE VERIFIED BY AUDIT 
OF MARCH 6* 1978. INSPECTION VERIFIES ASSEMBLY PER INSPECTION PGINTS IN 
MASTER RECORD. LOG OF CLEAN ROOM 'AND CALIBRATION OF- TOOLS VERIFIED. 
CRITICAL DIMENSION LOO? VERIFIED BY INSPECTION. PARTS CLEANLINESS AND 
PASSIVATION VSR4-FISD 8Y INSPECTION. NDE INSPECTION PERFORMED AFTER 
ASSEM8LY. TURNAROUND. COUPLINGS ARE VISUALLY INS? FOR EVID CF DAMAGED 
SEALS ANO LEAK TESTS APS PERFORMED. (C) APCLLO FAILURE HISTO°Y W4S IN 
THE MAIN ASSOC WITH GROUND f USAGE » IMPROPER HANDLING. 
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■HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 
SUBSYSTEM AFT - RCS ■ • FMEA NUMBER 03-2A-2Q1 080-1 

ITEM Piirgp Quick Discern#^ P^ppllant. FAILURE MODE .External Lepage 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES Q NO Q 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? - 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION -THAT THE FLIGHT SOFTWARE COULD *YES Q NO' H 

USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES Q*NO [X] 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES Q NO |Tj 

{EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM" LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES Q NO |T] 

FAILURE MODE {EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MOQE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES Q NO (x] 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES Q NO (31 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE {CONSIDER CREW *0 (X] *lQ 2Q 

ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTIOil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED M/A QyEsQmoQ 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? ' YES (Xj*NO □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES {x]*NO □ 


♦EXPLANATION REQUIRED {SEE BELOW) 


. CHANGE/RETENTION RATIONALE SUMMARY 
r.Q NO H/S ISSUES . 

2.££3 HARDWARE ACCEPTS RISK 

3. p. NO SOFTWARE DETECTION 

4. □ DETECTION DURING’ CHECKOUT 

5. □'ACCEPTANCE RATIONALE BELOW 
5. □ RECOMMENDED CHANGES BELOW 


fx] FMEA CHANGE RECOMMENDED 


EXPLANATIQM/COMMENTS: 


1. Gross leak detection will give first indication. 

2. The above statement indicates in-flight detection. 

6. Heed minimum of 2 yaw thrusters. Cross-feed is available. Pods are redundant. 
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SHUTTLE CRITICAL ITEMS LIST - CP. BITER L02 


SUBSYSTEM j APT - REACTION CONTROL 
. ASSEMBLY :P RE3SUR IZAT ION 
.P/N RI SMC276-0013 
. P/N- VcNOCR; 7 63 6 LOCO Z T63I6000 
.QUANTITY S2S 


FMEA NO 03— 2 A -201030-1 


P.EViU/Qg/73 


ABORT : 

.MISSIONS: HP 

PHASE! S I : PL 


CP IT. FUNC: 
CR T T. HOW : 
VF X FF CP SM 
LO X CG X DQ X LS 


IP 

■3 


. s].4- PER POO 

* . <12 OF 1/Z IN. 

* ' .2 OF 1/4 IN. 

.PREPARED BY:' ' 

.OSS C SC4RLSIT 

.R £L C M AKERS 


REDUNDANCY SCREEN: A-PASS 8-FAIL C-P4SS 


APPROVED 5Y 
Dr S 

psl 



/zjiffri 
'Wrf ~ 


IN ASA): 


APPROVED 3 

APPROVED WITH CHANGES 

.ITEM: DISCONNECT » QUICK. PURGE. S6fi Sectlon 13 -° 

. VENT t PROPELLANT WITH STRUCTURAL END CAP AND SPRING LOADED PGPPET 
li/2™ & 1/4 IN.).- 
.FUNCTIONS ' 

. -TO ALLOW GROUND °UP GE OF PRCPELLANT MANIFOLDS DURING TURNi ROUND 
CPERATICNS. 

.FAILURE .MODE: EXTERNAL LEAKAGE (S3 

• CAP LEAKS t SEALS DAMAGED RETAINING NUT LOOSENS NEGATING CAP SEAL 
REDUNDANCY. * 

.CAUSE! Si ; 

. VIBRATION. PIECE PART STRUCTURAL FAILURE. 'CCI^A V IM t- T ION , MECHAmIC'.L 
SHOCK. ScaL DAMAGE, IMA050 MAIMT OF'GSE hALF, NO L I NS SUPPORT _ SHAFT 


OR BORE 8 ENT 

-EFFECT! S); ON ! A ) SUBSYSTEM ( 3 ) INTERFACES O^ISSICN (0) CRSa/VEH ICL5: 

. !A,g> LOSS Or REDUM04NCY 

(PROPELLANT MANIFOLD ISOLATION VALVE COULD ISOLATE LEAK). .CC5 MISSION 
MODIFICATION OR ABORT DECISION. !0) NO EFFECT UNLESS -MULTIPLE Fa[LU==5 
OCCUR CR EXCESS LOSS' GF PROPELLANT OCCURS. !E 3 , FUNCTIONAL CRITICALITY - 
EFFECT - POSSIBLE CREW/VEFICLS LOSS - LOSS OF RCS ENTRY PROPELLANT. 
POSSIBLE LOSS OF VEHICLE CONTROL DURING ENTRY. 

.DISPOSITION Z RATIONALE 14 ) DESIGN C83TSST (Cl INSPECTION (DJFAIlUPE HISTORY: 
. (A) F.S. IS 2.0 X WORKING 3R£SS. REDUNDANCY PROVIDED 3Y INTERNAL SEAL. 

CAP Z MANIFOLD ISOLATION VALVE. GPGUNO HALF COUPLINGS AND LINES ARE 
. AQEQ SUPPORTED TO LIMIT ANY UNDUE STRESS GN THE COUPLING DURING SERVICE 
AND PREV QAMAGE TG SEALS. A SAFETY FEATURE DURING SERVICING AND PRIOR 
TO REMOVAL OF THE END CAP IS A PROV WHEREBY AMY LEAKAGE PAST THE 
AIRBORNE PCPPET SEAL CAN 36 VENTED GVEF BOARD BY ROTATING 4 BLEED SCREW. 
COMPLETE STRESS ANAL HAS 3SEN CONDUCTED. UTIL CF STRUCT CAP MINIMIZES 
LEAKAGE POTENTIAL AND oROVIOSS A REDUM SEAL EXCEPT FOR STRUCT FAILURE. 
FAILURE CAN BE ISOLATED AT MANIFOLD VALVE. !3) THE CGUPLING -IS SUBJ TO 
600 OPER CYCLES (COUPLING AND UNCOUPLING) DUPING QUAL IN 4C0ITICN TO 
PRESS SURGE CYUCLING AND PROP EXPOSURE TESTS- RANDOM VI3 TESTING IS 
ALSO CONDUCTED AT ANTIC VEH LEVELS FOR 3? MINUTES IN E4CH-AX.IS. USAGE 
DURING SYS EVAL TESTS 4T W'STF ALLOWS cVAL UNGER ACTUAL USAGE CG.\D. 

PROOF PRESS TESTS ARE CONDUCTED DURING ATP AND LEAKAGE TESTS ARE P ERF 
BEFORE ANO AFTER OPER CYCLES. (C) AN IOENT IS PERF. RAW MAT'L, NOE 
EXAM. VISUAL INSP FOR CRITICAL SURFACE DEFECTS. AND ECUIP CONFORMANCE TO 
'CONTRACT REQMTS ARE VERIF BY RECEIVING INSP. MEASUREMENT STANDARDS AND 
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SHUTTLE CRITICAL ITEMS LIST - ORB ITER 102 


SU8SYSTEM : AFT - REACTION CONTROL FMEA NO 33-2A -201030-1 R £V: 11/0 3 / 7 8 
TEST EQUIP. STNDARO.S ARE IMPLEMENTED PER ?. SORTS OF MIL SPECS. THE 
FOLLOWING rTEMS ARE V ERI F 3Y SHOP TRAVELER MANDATORY INSP POINT S-P ART'S 
PROT, MFG- PROCESSES, COATING, ASSY ANO IN STALLATI CM. ThE A30VE ITEMS 
AND THE FOLLOWING ITEMS WERE VERIFIED 3Y AUDIT CONDUCTED 5-23-77. 

COkRCS PROT, PROV CON.T AM CG.NT PROCESSES, TEST HANDLING, AND STORAGE 
ENVIR.. THE FOLLOWING ITEMS WERE VERIFIED 3Y A'JCIT OF MARCH 6, 1973. 
INSPECTION VERIFIES ASSEMBLY PSR'i I NSPECT ION POINTS IN MASTER RECORD. 

LOG OF CLEAN RCQM AND CAL 13 RAT ION OF TOOLS VERIFIED. CRITICAL DIMENSION 
1002 VERIFIED BY INSPECTION. PARTS CLEANLINESS AND PASSIVATION VERIFIED 
BY INSPECTION. NDE INSPECTION. PERFORMED AFTER ASSEMBLY. 
TURNARCUND-COUPLINGS WILL BE VISUALLY INSPECTED FOP EVIDENCE OF CAP SEAL 
DAMAGE ANO CAP LEAKAGE. (0 > APOLLO FAILURE hlSTC’Y WAS IN THE MAIN 
ASSOC WITH GROUND USAGE, IMPROPER hAHOLING. 
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- HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

SUBSYSTEM AFT - RCS FMEA NUMBER Q3-2A-201 090-1 

.ITEM Test Quick, Disconnect FAILURE MODE External Leakage 

I. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY' 

- ANNUNCIATE OR TAKE. ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULO 
-USE TO DETECT THE FAILURE? 

2.. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT 0ETECTA8ILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO. COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HAROWARE OR 
INDUCE ANOTHER' FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? . 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION.)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND' THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAM THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

^EXPLANATION REQUIRED (SEE BELOW) 

5. □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


(xjFMEA CHANGE RECOMMENDED 



1. Gross leak detection gives first indication. 

2. FMEA change - in flight detectability should include above measurement numbers. 

6. Pod redundancy. 


CHANGE / RETENTI ON RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3‘. □ NO SOFTWARE DETECTION 

2. [Xj HARDWARE ACCEPTS RISK 4. CJ DETECTION OURING. CHECKOUT 


YES Q NO □ 
*YE$ □ NO P 
YES P_*NO 0 
YES □ NO 0 
*YES □ NO 0 

*YES □ NO 0- 
*YES □ NO 07 

*0 □ *lQ 20 
H/A DyEsQnoQ 

YES [xj*NQ Q 
YES GD*NO Q 
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CRBI-TEP 102 


SHUTTLE CRITICAL ITEMS LIST - 


SUBSYSTEM : APT - REACTION CONTROL 
ASSEMBLY JPRE5SUR I2ATICN 
P/N RI :M£27o-0C32-0005r7, 19,21 
P/N VENC0R:RP.A2o7G— 5»— 7RG429D J— IS— 3 
QUANTITY : 36_ 

, s 18. PER MODULE 


FM5A NO 03— 2 A -201090-1 REV: L2/L2/7c 
A6C-FT : CR IT. FUNC: IK 

CP IT. HOWS 3 

MISSIONS: HF VF X FF OF SM 

PHASE ( S ) : PL L3 X CC X 9G X LS 


REDUNDANCY SCREEN: A-F4IL B-rAIL C-P ASS 


. APPROVED WITH CHANGES 

.ITEM: DISCONNECT » QUICK + TEST See Section 13.0 

. P T . (1/V) WITH SPRING LOADED' POPPET A.\0 STRUCTURAL END CAP. MO - • 

20 L-20AVZQ 7-216/ 30 1— 3 04/ DO 7-3 16 
•FUNCTION: , 

. TO PROVIDE ACCESS’ TG THE HELIUM SUPPLY SYSTEM AT VARIOUS POINTS IN THE 
SYSTEM (RELIEF VALVES/BURST DISCS REGULATORS, CHECK VALVES). PROVIDES 
FOR C/0 OF PRESS SUE— SYS COMPONENTS. COMPONENT INPUTS S OUTPUTS ARE 
ACCESI6LE AT HE SE C V PANEL- THE END. CAP PROVIDES RE DU (DANCY <=UR 
EXTERNAL LEAK. 

.FAILURE MODE: EXTERNAL Lc/KAGc <S) 

. CAP LEAKS, SEALS CAH AGED*. 

-CAUSE! S ) : 

. VIBRATION. P I ECS °AR7 STRUCTURAL FAILURE (POPPET, SE'.L), MECHiMICAL 
SHOCK. EXCESS TORQUE, SEAL GARAGE, t.NAOEQ MAI NT OF 03E HALF, NO LINE 
SUPPORT - SHAFT CR 00" E SENT. 

. EFFECT ( S ) : ON ( A ) SUB SYSTEM (3)INTERFACSS (OMISSION ( D ) CR E’.'/V EHICLE: 

. (A) ’LOSS OF SUBSYSTEM PRESSURIZATION CR REDUNDANCY DEPENDING r-f'l 

LOCATION . (B) LOSS OF INTERFACE FUNCTION (LOSS OF PROPELLANT FEE 0 

CAPABILITY). (C ,0-5 NO EFFECT DUS TO REDUNDANT ^GP^ET SEALS S END CAP. 

(El FUNCTIONAL CRITICALITY EFFECT - POSSIBLE CREW VEHICLE LOSS. LOSS 
OF PRESSURANT RESULTS IN IN48ILITY TQ BURN OR DEPLETE RCS PPC°SLLAN7. 

THIS WOULD RESULT IN POSSIBLE INABILITY TO CONTROL VEHICLE DUPING ENTRY 
DUE TO INABILITY TO USE RESERVED ENTRY PROPELLANT OR C.G. PROBLEMS 
RESULTING FROM PROPELLANT WEIGHT ». 

.DISPOSITION S RATIONALE (A)OESIGN (B)TSST !C ) INSPECTION (D)FAILURE HISTORY: 
- (A) F.S- IS 2.0 X WORKING PRESS. ULLAGE PRESS TS AOEQ TC EXPEL PRGP 

WITH 35 PERCENT OR LESS REMAINING- GROUN HALF COUPLINGS AND LINES ARE 
ADEQ SUPPORTED TO LIMIT ANY UNDUE STRESS ON THE COUPLING DURING SERVICE 
AND PREV OEMAGE TC SEALS AND WELD JOINTS. A SAFETY FEATURE DURING- 
SERVICING AND PRIOR TO REMOVAL OF THE END CAP- IS A PRQV WHERE3Y ANY 
LEAKAGE PAST The AIRBORNE POPPET SEAL CAN 8£ VENTED OVERBOARD 3Y 
ROTATING CAP. UTIL OF STRUCT CAP MINIMIZES LEAKAGE 3 0T?NTI4L AND 
PROVIDES A RSDUN SEAL EXCEPT FOR STRUCT OR WELD FAILURES. ( 3 ) THE 
COUPLING'IS DESIGNED FOR 400 GPER CYCLES (COUPLING AND UNCOUPLING J . 

USAGE OUR I.NG SYS EVAL TESTS AT WSTF ALLOWS SV4L UNDER ACTUAL USAGE CCNQ. 
PROOF PRESS TESTS ARE CONDUCTED DURING- ATP AND LEAKAGE TESTS ARE PERF 
BEFORE AND AFTER OPER CYCLES. !C} AN TDENT TS PERF AND THE UNIT TAGGED. 
RAW H AT * L r NOS EXAM OF WELDS, VISUAL TNSP. OF WELD JOINTS FOR 


.PREPARED BY: 

•OES 

,RSL 


C -SCARLETT 
C M AKERS 


APPROVED B)f: 
OES 





y/> f 
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SHUTTLE CRITICAL ITEMS LIST - QR3ITER 102 


SUBSYSTEM : AFT - REACTION CCN”RGL FMEA MG 03-2 
CONFORMANCE TO STANDARD WELD PRACTICE, SURFACE 
CONFORMANCE TO CONTRACT PROMTS AP-5 V2RIF 8Y P. EC 
STANDARDS AND TEST 52UIP. STANDARDS ARE IN PL EMC 
S^ECS. THE FOLLOWING ITEMS ARE VERIF 3Y SHOP 
POINTS- PARTS PROT, M?G. PROCESSES ♦ COATING, P 
INSTALLATION. THF ABOVE ITEM'S AND THE FOLLOW IN 
AUDIT CONDUCTED Li-3-75. CAROS’ PROT PROV, CON 
HANDLING* AND STORAGE ENVlR. TURNAROUND- COUP 
INSPECTED FOR EVIDENCE OF SEAL DAMAGE AND CAP l 
BETWEEN, THE HELIUM I SOL VALVE £ REGULATOR f. THt, 
TANK C/0 APE NOT ACCESSIBLE AT SERVICING 0 AN ELS 
HISTORY VAS IN THE MAIN ASSOC WITH GROUND USAGE 


A —201090—1 REV: 12/12/7 
DEFECTS, AND EQUIP 
EIVING INS?.. MEASUREMENT 
NTSD c ER PECKTS Or W IL 
R3VELSR MANCATCRY INSP 
LATINS, ASSY AND 
G ITEMS WERE V=RIFIEO BY 
TAM CC.NT PROCESSES, TEST 
LINGS WILL BE VISUALLY 
EAKAGE. {COUPLINGS 
SE ASSOCIATED vITH PROP 
) (C ) A°CLLO FAILURE 
- r.v.PfJrppK HA. NOi T-'mG. 
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SUBSYSTEM AFT - RCS 
ITEM He Quad Check Valve 


HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 

FMEA NUMBER 03-2A-201 095-2 

FAILURE MODE Fails Closed 


1 . 


la. 


3a. 


4. 


5. 


6 . 


7. 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH- THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 


IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MOOE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATION REQUIRED (SEE BELOW) 


YES 

H] NO 

□ 

*YE5 

□ NO 

P 

YES 

□ *N0 

0 

YES 

□ NO 

0 

*YES 

□ NO 

0 

*YES 

□ NO 

0 

*YES 

□ NO 

0 

*o □ 

I 

20 


n/a QYEsdaoa 


YES (2*N0 □ 

YES 0*NO '□ 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2.0 HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. £] DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. Q RECOMMENDED CHANGES BELOW 


GO FMEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS : 

1 & 2. Upon using the thrusters, propellant tank ullage pressure will decay until <200 
psi which will give a class 2 alarm, caution and warning. (Red Light) 
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SHUTTLE CRITICAL ITEMS LIST - CR3ITBR 102 


SUBSYSTEM :AFT - 'REACTION CONTROL 
. ASSEMBLY iPRESSUR I2AT ION 
• P/N Rl SMC2S4— 34SL— 3031/-0002 

• P/M VENDORS RSJ3LQ5Q0-O01 -Oil 
.QUANTITY S4. 

. S0N6-PER HELIUM SUPPLY 


FM64 NO 03— 2 A -201095-2 • REV: 12/12/79 


A3CR.T : 




CRIT, FUNC 

: 1R 





CRIT. 

HOW 

: 3 

MISSIONS: 

HF 

VF 

X 

FF 

OF 

SM 

PHASE(S) :• 

PL 

L3 

X 

CC X DO X 

LS 


REDUNDANCY SCREEN: A-®ASS S-FAIL C-PASS 


PREPARED 

>OES 

.REL 


8Y: 


R. BURKHART 
-C M AKERS 


APPROVED 

06 $M 

R£L 



APPROVED BY* /NASA)) : f 




.ITEM: VALVE , QU40, CHECK, HE. 

. CV 20 L/202/30 L/302 
.FUNCTIONS 

. EACH CHECK VALVE QUAD PITH A PCP°ETS IN SERI 
PROVIDES PARALLEL REDUNDANCY FOP. HELIUM PRES 
REDUNDANCY TO L IM I T BACK FLOW OF PROPELLANT 
TANKS TO THE REGULATOR. A 30KL 25 MICRON <=I 
INLET. VALVE UTILISES CUTTER SEAL 0631 GN CO 
PER POPPET) 

• FAILURE MOOS: FAILS CLOSED (F) 

. RESTRICTED FLOW . 

. CAUSE! S ) : 


SSM 

a5 kr^-- 

APPkOVED WITH CHANGES 
See Section 13.0 


23 - PARALLEL A"? ANGcMSN 7 
SIP IZATICN \i\D SERIES 
V-\PCRS FROM th E ^uPELLAN 
L^ER IS UTILIZED \* THE 
‘■ : CS PT {TWO SEALING SU*FAC 


ec 


.- STRUCT FAILURE,- SHOCK, VIS, P’j 3 PS~ BINDS IN GUIDE, C f lN‘ r AM, VA^DR 
FREEZES IN COLD VALVE, CCPRGS. 

..EFFECT! S ) : ON (AJSUSSYSTEH ! 8 ) INTERFACES (C)MtSSICN ( ? ) C R 5 V / V EH [ C L E : 

. (A) LOSS OF REDUNDANCY - PARA L FLOW PATH... (E,C,C) NO EFFECT UNLESS 

PARAL POPPETS FAIL CLOSED. FA [ L'JP E OF PAPAL =0P o ETS WOULD CAUSE MIX 
RATIO SHIFT AND POSSI3LY PREVENT UTIL/CEPLETICN CF ALL 3 ?QM l POPPETS 
EVENTUALLY UNSEAT). (E) FUNCTIONAL CRITICALITY E C FECT - POSSIBLE CR5/f 
VEHICLE LOSS. FAILURE OF PARALLEL POPPETS WOULD POSSIBLY RESULT IM 
INABILITY TO BURN OR DSP LET 2 ALL RCS °RC?ELLANT IN ADDITION TO MIXTURE 
RATIO PROBLEMS WITH 3 SSULTANT THRUSTER FIRING PROBLEMS. POSSIBLE 
INABILITY TO CONTROL VEHICLE DURING ENTRY DUE TO INABILITY TO UTILIZE 
RESERVED PROPELLANT AND C.G. PROBLEMS OUE TO PROPELLANT WEIGHT. 
.DISPOSITION £ RATIONALE (A)OESIGN !B)TEST (C ) INSPECTION {OlFARURS HISTORY: 
. (A) SERIES-PARALLEL PEOUNDANT POPPETS PROVIDE REDUNDANCY FOR THE CLOSED 

FAILURE MODE. TO LIMIT r HE POTENTIAL FOR POPPET SHAFT BINDING, OP. 
GENERATION OF CONTAMINATION THE .GUIDE PINS UTILIZE S4PPHRE AS A WEAR 
RESISTANT SURFACE. A 25-«ICR0N INLET FILTER WILL ALSO REDUCE THE 
POTENTIAL FOR A CLOSED FAILURE BY LIMITING THE POTENTIAL FOR 
CONTAMINATION TO CAUSE BINDING OF MOVING PARTS- !S) 100,000 OPERATION 
CYCLES !FLQW) AND RANOOM VIBRATION AT ANTICIPATED MISSION LEVELS APE 
PERFORMED CURING DUAL. ITEM IS USED DURING SYSTE* 6VALUA r I0N TESTS AT 
ViSTF ALLGWING EVALUATION UNDER SIMULATED MISSION USAGE CONDITIONS. 

PROOF PRESSURE, LEAKAGE,- £ OPERATION (CRACKING PRESSURE ANO FLOW) TESTS 
ARE REFORMED OURING ATP. APPROPRIATELY LOCATED TEST POINTS ALLOW 
PRE/POST FLIGHT LEAKAGE TESTS ANO OPERATION TESTS WHCCH APE CONDUCTED AT 
THIS TIME.- (C ) AN IDENTIFICATION IS PERFORMED AMD THE UNIT TAGGED. 
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SH UTT L E CRITICAL ITEMS LIST - CRSITER 102 


SUBSYSTEM : AFT - REACTION CONTROL FHE A NO 03-24 -2CL095-2 REV: 12/12/75 

contamination control process, corrcs. PROTECTION PROVISIONS, f :oe EXAM . . 
CF welds and srazes, insp. for surface and subsurf ace defects are 

VERIFIED BY INSPECTION'- ' THE FOLLOWING ITEMS A 2 E VERIFIED BY SHG= 

TRAVELER MANDATORY' INSP. POINTS - RAW MTA'L (LOT CERTTFICA TIO.v) , PARTS 
PROTECTION, MANUF. , COATING, PLATING INSTALL i T ICN AMD ASSEMBLY 
QPERAT INS, THE ABOVE ITEMS AMO THE FOLLOWING ITEMS WERE VERIFIED BY 
AUDIT CONDUCTED 12-2-77. CONTAMINATION CONTROL PROCESSES, COPRGS. 
PROTECTION PROVISIONS. TURNAROUND - FUNCTIONAL PL GW AND LEAKAGE 
{SACK-FLOW} TESTS ARE PERFORMED. 103 NO PRIOR HISTORY FOR CLOSE FAILURE 
MODE FOR THIS -TYPE OF DESIGN. 
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SUBSYSTEM AFT - RCS 


HARDWARE/SOFTWARE ANALYSIS CHECKLIST sn7?-RH-rnnR-? 

FMEA HUMBER 03-2A-2Q21Q8-1 

FiipI FAILURE MODE External Leakc^e 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION III RESPONSE)?. 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FHEA -EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE-ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR Th£ SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? itOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTIOil IS REQUIRED TO RESPOND. TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER' OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATIQN REQUIRED (SEE BELOW) 


YES jx] NO Q 
*YES Q NO P 
YES □ *NO Q 
YES □ NO □ 
*YES Q NO Q 

*YES □ NO □ 
*YES □ NO P 

*0 □ *10 2 P 

N/A PYES[x]NOn 


YES (X]*NO' □ 
YES (X]*N0 □ 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. (X] HARDWARE ACCEPTS RISK 


3. D NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. Q RECOMMENDED CHANGES 8EL0W 


In-flight detectability 
(xHfMEA CHANGE RECOMMENDED 


EXPLANATIOiN/COMMEilTS : 


1. Gross leak detection gives first indication. 

2. V42P2115 and 3115 should be deleted from this FMEA page as they are in the oxidizer 
system and not the fuel system. 
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. SHUTTLE CRITICAL ITEMS LIST - OR 3 ITER 102 


SUBSYSTEM SAFT - REACTION CONTROL 
ASSEMBLY ; PROP ELL ANT FEED', FUEL 
P/N RI : MC621-005R 

P/N VENDOR: 73A560001 ; 

QUANTITY 22 

: ONE SET PER PROPELLANT 

SPER MODULE • 


FMEA NO. 02- 2 A -202103-1 


REVS 11/08/7: 


A3GRT : 

MISSIONS; 
PHASE { S > : 


HF 

PL 


REDUNDANCY SCREEN: 


PREPARED SY i 

DES N G GLAVTNICH 

REL CM AKERS 



CP IT. FUNC : 1 

CP IT. HOW: 1 

VF X FF Or SM 
LO X Cu X DO X LS 


A-N/'A 2—' “1/A C-N/fi 

NASA/ : 


APPROVED/ BY 
SSM 

^APPROVED WITH CHANGES 

ITEM:. FEEQLINE AND FITTINGS . See 5eCtlon 13,0 

FROM TANK TO 1) TANK VALVES, TO 25 NANI FOLD VALVES, TC 3) THRU STEFS. 

FUNCT ION 2 

(1) l 1/2 X. 023 304 L S.S. FROM TANK ^ DISTRIBUTION PANEL, (2) l 1/4 
X.C23 FROM MANIFOLD ISOLATION VALVE TO THRUSTS? MANIFOLD, (3? 5/E 
X.028 THRUSTER MANIFOLD T G B ROVIDc FEED TO A I ATE d RC°ELLANT 

COMPONENTS FOR THRUSTER OPEP.ATION-3 AXIS ACCELERATION CONTROL AND 
ROTATIONAL CONTROL- 

-FAILURE MODE: STRUCTURAL FAILURE IS) 

. RUPTURE, EXTERNAL LEAKAGE.. 

-CAUSE (-S }: 

. VIB, FATIGUE, SHOCK,. WELD DEF, INSTALL CAM, DY‘! ATU °c SEAL FAILURE, *AT* 


DEF (SULPHIDE ST.P INGER) . 

■ EFFECT! S ) S ON ( A} SUBSYSTEM { 3 1 INTERFACES (OMISSION COT CRcW/VEH ICLE: 

. (A) SUBSYSTEM 'DEGRADATION - LOSS OF PROP- (3) DEGRADATION OF 

INTERFACE FUNCTION - POSS CGRROS DAMAGE IN PCD * CCJ LAUNCH DELAY 

OR ABORT DECISION. 1-0 1 POSSIBLE LOSS OF CR SW VEH ICLE-IF LINE FROM 
TANK OUTLET- RUPTURES RESULTING IN INABILITY TO UTILtZE/OEPLSTE PROP OR 
PROP REACTS WITH FUEL OR OX CAUSING FIRE OR EXPLOSION. 

.DISPOSITION £ RATIONALE { A 3 DESIGN (8)tEST (C > INSPECTION (Q)FAILURE HISTORY; 

. ( A5 F.S. IS U5 TQ 4.0 MAXIMUM OPERATING PRESSURE (SYSTEM RELIEF). 

CYNATUB'ES HAVE DUAL SEALING SURFACES.- THE WELDED CONSTRUCTION 
ELIMINATES JOINTS AND POSSI BLE^LEAK PATHS. THE ANNEALED AREA (DUE TO' 
WELDING) IS BACKED UP 3Y A SLEEVE. FASTENING CLAMPS ALLOW FREEDOM OF 
MOVEMENT. TUBING BENDS ARE CONTROLLED BETWEEN FIXED POINTS TO 
FACILITATE INSTALLATION AND ACCOMMODATE VEHICLE GROWTH AND MOVEMENT. 

.(85 ROCKWELL PERFORMED TUBING CERTIFICATION TESTS PEP. "ORSITEP TUBING 
VERIFICATION PLAN™ (SD T5-SK-0205). THIS TESTING INCLUDED PRESSURE 
CYCLING' AND' FATIGUE FOR TYPICAL SHUTTLE LINES £ JOINTS. SYSTEM 
-EVALUATION TESTS AT WSTF WILL ALSO ALLOW EVALUATION IN THE INSTALLED 
SYSTEM- CONDITION. LEAKAGE TESTS ARE PERFORMED IN-PROCESS FOR TUBING 
SECTIONS. OPTICAL INSPECTIONS ARE ALSO PERFOP NED AT THIS T IM£ IN 
ADDITION TO X-RAY AND DYE PENETRANT- LEAKAGE TESTS ARE ALSO PERFORMED 
AFTER INSTALLATION INTO THE SYSTEM AND ADDITIONAL WELDS ARE ALSO 
SUBJECTED TO NDE. (C) AN IDENTIFICATION IS PERFORMED AND THE UNIT 
TAGGED. CDNTAM-. CONTROL PROCESSES, CORRCS . PROTECTION PROVISIONS, NDE ' 
EXAM OF WELDS AND INSP. FOR SURFACE ANO SUB-SURFACE DEFECTS IS VERIFIED 
BY INSPECTION. THE FOLLOW I MG ITEMS ARE VERIFIEO BY SHOP TRAVELER 


BBS 
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SHUTTLE CRITICAL ITEMS LIST - CR3ITER 102 


SUBSYSTEM JAFT — -REACTION CONTROL FME.A NO 03-2A -HO 2103-1 PEV: 1 1/03/7 

MANDATORY INSP- POINTS- RAW MAT * L ( LGT CERTIFICATION) , PARTS PROTECTION, 
MANUF. , COATING, PLATING, INSTALLATION AND ASSEMBLY OPERATIONS- 
HARDWARE IS INSP. IN ACCORDANCE WITH WUAHTY PLANNING P.EQMTS DOCUMENT 
(QPRD) WHICH HAS BEEN APPROVED 8Y NASA. TURNAROUND— LIMES IN ACCESSIBLE 
APEAS ARE VISUALLY INSPECTED FOR EVIDENCE OF DAMAGE AND FLOW AND 
PRESSURE FUNCTIONAL TESTS .ARE MONITORED FOR EVIDENCE OF OBSTRUCTION OR 
LEAKAGE- (u i' MINOR HISTORY - CORRQS ICN/FA3 PROBLEMS DETECTED DURING 
APPGLLC CHECKOUT AND CORRECTED- 
CORRECTED. 


SS6 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

SUBSYSTEM AFT - RCS FMEA HUMBER 03-2A-2021 09-1 

ITEM Feedline & Fittings, OX FAILURE node External Leakage 

1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e.,, AUTOMATICALLY YES fjj NO Q 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE}?- 

la. IF HOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES Q NO Q 

USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS I AND la CONSISTENT WITH THE FMEA EVALUATION OF YES Qj *N0 Q 

IN-FLIGHT DETECTABILITY? 

3. DOES- THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES Q NO (T] 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC}? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YE$ Q HO Q- 

FAILURE MOOE (EITHER BY COM' ANDING HARDWARE ACTION- OR IMPLEMENTING ALTERNATE 

PROGRAM LOGIC)? __ _ 

4. AS A RESULT OF THIS FAILURE MOOE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES Q NO [x] 

INDUCE ANOTHER FAILURE? ■ • _ 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES Q NO [xj 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 0 *lQ 2Q 

ACTION ANO HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. . _ _ 

: 7 . IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A □yES^HOQ 
TO SIGNAL IKE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS 8E ENGAGED AFTER, OCCURRENCE? YES GJ*NO Q 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEKICLE? YES O*N0 0 

‘EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTIOf! RATIONALE SUMMARY 

r.Q NO H/S ISSUES. 3.P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. 0 HARDWARE ACCEPTS RISK 4. O DETECTION- DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW- 


□ FMEA CHANGE RECOMMENDED 



1. Gross leak detection gives first indicatio 
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SHUTTLE CRITICAL ITEMS LIST - C? BITER 102 


SUBSYSTEM : AFT - RSACTIGN CONTROL 


FMEA NC 03-2A -202109-1 


REV : 11/03/75 


ASSEMBLY : PROPELLANT' FEED, OXIDIZER’ ABORT: 

P/l N Ri :MC621— 0059 ■ 

P/M V EM DuR :73A 560002 MISSIONS: 

QUANTITY : 2 PHASE (5): 

:GNE SET PER PROPELLANT 


CP IT* FUNC: 1 

CP IT . HOW- : 1 

H F VF X FF OF SM 
PL X LO X CO X DO X LS X 


i REDUNDANCY SCREEN: A— N f A S-N/A C-M/A 


PREPARED BY: 

DES N C GLAVI NICH 

RSL C.M AKERS 


APPROVED 
DES • 

rel r 


BY: 




TQ Zi MANIFOLD VALVES TC 


See Section 13.0 
3) THRUSTERS. 


ITEM: FEEDLINE' AND FITTINGS 
. FROM TANK TO l) TANK VALVES 
FUNCTION: 

(• L ) 1 i/4 X. 023 304L S.S. FROM r INK TC 3I-STR IEUT ION PANEL, (2) I i/2 - 

X. 023 FROM MANIFOLD ISOLATION i/ALVE TC THf. US TEC M AN IFCLD (35 3/ + 

X. 023 THRUSTER MANIFOLD TO PROVIDE FEED T c APPROPRIATE ?°C°ELL ANT 
COMPONENTS FOR THR'JSTER OPERATION - 3 AXIS ACCELERATION CONTROL AND 
ROTATIONAL CONTROL® 

.FAILURE M ODE : STRUCTURAL FAILURE tS) 

RUPTURE, EXTERNAL LEAKAGE. 

.CAUSE! S ) : 

. MECHANICAL SHOCK, v I SR A T IGN /F A T I -DU E * IMORCPE 0 I M S T ALLA" I CM U5LD). 

0YNATU8E SEAL FAILURE MATH. nEFTCIEMCv (SULPHITE STRINGER). 

. EFFECT! S): ON ! A) SUBSYSTEM ( 3 ) INTERFACES (C)**I3SJCK (D) CPEV./V5H ICLE: 

„ { A ) SUB-SYSTEM DEGRADATION - 'LOSS OF P 3 0?ELL AT T . ( B) DEGRADATION OF 

. INTERFACE FUNCTION - POTENTIAL CORROSION FFC M FREE PROPELLANTS IN 

MODULE., ! C) ABORT DECISION. (D) POSSIBLE LOSS OF C°=W VEHICLE - IF 

LINE FROM TANK OUTLET RUPTJRES RESULTING IN INABILITY TO 
UTILIZE/DEPLETE' PROP OR PROP- REACTS WITH FUEL CR OXIDIZER CAUSING 
FIRE CR EXPLOSION. 

.DISPOSITION £ RATIONALE (A)DESIGN ! S) TEST (C ) I NSPECTICN !D)F4lLUP.E HISTORY: 
. (A) F.S. IS 1.5 TO 4.0 MAXIMUM OPERATING PRESSURE !S.YS T EM RELIEF)., 

OYNATUBES HAVE DUAL SEALING SURFACES. THE W ELD ED CONSTRUCTION 
ELIMINATES JOINTS AND POSSIBLE LEAK PATHS. THE ANNEALED AREA (CUE TO 
WELDING) IS BACKED UP BY A SLEEVE. FASTENING CLAMPS ALLOW FREEDOM OF 
MOVEMENT. TUBING BENDS ARE CONTROLLED BETWEEN FIXED POINTS to - 
FACILITATE INSTALLATION AND ACCOMMODATE .VEHICLE G=OWTH AND MOVEMENT. 

IB). ROCKWELL PERFORMED TUBING CERTIFICATION TESTS D ER "ORBITE 5 TUBING- 
VERIFICATION PLAN" f SD73-SH-02Q5) . THIS TESTING INCLUDED PRESSURE 
CYCLING AND FATIGUE FOR TYPICAL SHUTTLE LINES £ JOINTS. SYSTEM 
EVALUATION IN THE INSTALLED SYSTEM- CONDI TIGN . LEAKAGE TESTS APE 
PERFORMED AT THIS TIME IN ADDITION TO X-RAY AND CYE PENETRANT. LEAKAGE 
TESTS ARE ALSO PERFORMED AFTER INSTALLATION - INTO THE SYSTEM AMD 
ADDITIONAL WELDS ARE ALSO SUBJECTED TO NOE. (C) AN IDENTIFICATION IS 
PERFORMED AND THE UNIT TAGGED. CONTAM. CONTROL PROCESSES, CORRQS. 
PROTECTION PROVISIONS, NOE EXAM CF WELDS AND INSP. FOR SURFACE AND 
SUB-SURFACE DEFECTS IS VERIFIED BY INSPECTION. THE FOLLOWING ITEMS ARE 
VERIFIED BY SHOP TRAVELER MANDATORY IMSP. POINTS- RAW MAT* L CLOT 
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CP3ITER 102 


SHUTTLE CRITICAL ITEMS LIST 


SUBSYSTEM : AFT - REACTION CONTROL FMEA NO 03-2A -202L09-I REV: 11/03/7 
CERTIFICATION, PARTS PROTECTION, MANUF. , COATING , PLATING, INST ALATICN 
AND ASSEMBLY OPERATIONS, HARCWARE IS INS?. IN ACCORDANCE WITH QUALITY 
PLANNING RSQ.MITS DOCUMENT (QPRO) 'WHICH HAS SEEN AP Q ECV£D BY NASA. 
TURNAROUND- LINES IN ACCESSIBLE AREAS ARE VISUALLY INSPECTED FOR 
EVIDENCE OF DAMAGE ANO FLOw AND PRESSURE FUNCTIONAL TESTS ARE "CNtTORSD 
FOR EVIDENCE OF OBSTRUCTION OR LEAKAGE. (D> *INCR HISTORY - 
CORROSION/ FA 8 PROBLEMS Q£ T j£CTEQ DURING APPOLLC CHECKOUT AW'D CORRECTED. 

ARE MONITORED FOR EVIDENCE OF OBSTRUCTION OR LEAKAGE. (DJ MINOR 
HISTORY - CORROSION /FAB PROSLEMS DETECTED DURING APPGLLQ CHECKOUT AND 
CORRECTED . ‘ 
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• HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 
SUBSYSTEM AFT - RCS FMEA NUMBER 03-2A-2021 1 0-1 

ITEM Tank Isnlatinn Valvp^ fl C FAILURE MODE Fails Closed 


1 . 

OOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES 

00 NO 

□ 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

♦YES 

□ NO 

□ 

2. 

ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

[Xj *N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

□ NO 

E 

3a . 

IF NOT, DOES THE CAPABILITY EXIST’ FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING .ALTERNATE 
PROGRAM LOGIC)?. 

♦YES 

i 

(3 NO 

□ 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

♦YES 

□ NO 

a 

5. 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER’ FUNCTIONS? 

♦YES 

D NO 

a 

6. 

HOW. MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AMD HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

*o □ 

*10 

2D 

7. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED ‘FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

N/A □ YES [3 NO Q 

8. 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE 3FS BE ENGAGED AFTER OCCURRENCE? 

YES 

0*r:o 

□ 


3. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

□ *N0 

■£3 


♦EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 
!.□ NO H/S ISSUES 
2 HARDWARE ACCEPTS RISK 


3.0 NO SOFTWARE DETECTION 
4.13 DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. Q-RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 

EXPLANATION/ COMMENTS : 

1. First indication "failed off" thruster C&W for 1/2 leg. Redundant paths on 3,4,5 leg. 

3A.' Software could be designed to automatically position the aporopriate tank isolation 

valve. 

6. One success path remains after first failure. 

8B. Same as primary. 
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SHUTTLE CRITICAL ITEMS LIST - CP3ITSR 102 


SU3SYSTSM : AFT - REACTION CONTROL 
•ASSEMBLY : PRO PELLA NT FEED 
.P/N PI : M C 2 84— 043 0- 00 07 /-G 03 3 

.P/N VENOGR: 575 CO Z 5/ 5750026 
.QUANTITY :12 

. : THREE VALVES PER PROP 

. • STANK 


FMEA NC 03-2 A 
ABORT: ABORT , 
RTLS 

MISSIONS: HF 

PHASEtS): PL 


Z0211Q-1 REV: 12/12 
CR IT, FUNC: L~ 

CRIT. HOW: 2 

V F X FF OF SM 
LO X CO X 00 X LS 


REDUNDANCY SCREEN s A-PASS 0-PASS C-= 


• PREPARED BY: APPROVED 

.OSS R GONZALEZ DES _ 

.REL C H AKEPS PEL <L 




VED WITH CHANGES 


See Section 13.0 ■ 
t Ll 5— 2CCV J LV261-266, 


.ITEM: VALVE. 

. TANK ISOLATION 3 PHASE 400 HZ AC MOTOR ACTUATED 
LV 361-366. (1 -I/? IN-.} 

.FUNCTIONS 

. THREE REDUNDANT ISOLATION VALVES ARE USED PEP TANK TO ISOLATE GROUPS 0= 
MANIFOLDS (ONE -TANK ISOL VALVE CONTROLS 2 MANIFOLDS AMO TWO PARALLEL 
ISCL VALVES CONTROL THE REMAINING 2 PRIMARY MANIFOLDS AND THE VERNIER 
MANIFOLD! THAT MAY EXHI3IT "PEN OR LEAKAGE FAILURES' AND Tc ISOLATE THE 


TANK DURING INTERCONNECT S RCS 
TO PREVENT HELIUM INGESTION TC 
FUEL £ OXIC VALVES CAN 3s GPER IT ED INQEP SNOEN 


OR OMS CFOS SPEED L'P EP ATI CNS . ALSO USED 
ENGINE AT P ‘ 3 C P ouv-GUT (MANUAL SWITCH). 

•LY FOR C/0. LINE PRESS 


RELIEF TO TANK IS °*OVIDED. 

.FAILURE MQOE: PAILS CLOSED IF) 

. FAILS TQ OPEN »■ FULS TC REMAIN OPEN. 

.CAUSE(S): 

. LIMIT SWITCH MALFUNCTION, PREMATURE POWER TO ^OTOR, ELECTS tAL SHORT, 
RPC OPEN, JAMMING OF BALL ShAFT OR CAMS- 
. EFFECT l S } s ON (A) SUBSYSTEM l 3 ) IN TERFACES { C ) MISSION W LCSSW75H I CLE: 


( A ,8 ) LOSS OF REDUNDANCY PRCPELLANT FLOW- TO TWO MANIFOLDS ION ONE SIDE) 
AND SUBSEQUENT LOSS OF THRUSTER FUNCTION, POTENTIAL THRUSTER DAMAGE 
FROM INDUCED SURGE. (O A SORT DECISION ( DEFENCENT ON WHICH TANK ISOL 
VALVE FAILS, ONE. TANK ISOL VL7 CLOSED MAY LCSE TWO MAN I FOLCS ) • 10) ,NC 

EFFECT FOR SINGLE FA-ILURS FCR OFT MISSIONS (LOSS OF THRUSTER «AY 8E 
CRITICAL FCR RTLS IN SU5 SEQUENT MISSIONS FOR OMS DEPLETION BURN).' C“I~ 
1 FOR RTLS - LOSS OF TWO ' KAMI FOLDS (PER POO AFT) IS CRITICAL FOR ET 
SEPARATION S, MATEO COAST DURING RTLS. ( E) FUNCTIONAL CRITICALITY cFFEL 
- POSSIBLE CREW/VEHICAL LOSS DUE - TO UTILIZE/CSPL5T5 PCS PROPELLANT. 


POSSIBLE INABILITY TQ CONTROL VEHICLE DURING ENTRY DUE TC INABILITY TC 
UTILIZE RESERVED PROPELLANT £ C.G. PROBLEMS DUE TO PROP WEIGHT. 

.DISPOSITION £ RATIONALE- (A) DESIGN (3) TEST (C ) INSPECTION ID) FAILURE HISTG- 
(A) AC MOTOR VALVE IS 3-PHASc - 2 CF 3 WINDINGS ARE ADEQUATE FOR VALVE 
FUNCTION. SERIES (HYBRID) RELAYS PROVIOE REDUNDANCY FOR THE PREMATURE 
CLOSE MODE. PARALLEL (HYBRID) RELAYS PPQVtCE REDUNDANCY FCR ELECTRICAL 
POWER SIGNAL. ADDITIONALLY,. REDUNDANT VALVES ARE PROVIDED . (ONE TANK 
ISOL VALVE CONTROLS 2 OF 4 MANIFOLDS- AND TWO PAALLEL TANK ISOL VALVES 
CONTROL THE REMAINING 2 PRIMARY MANIFOLDS AND THE VERNIER MANIFOLD). A 
-400-MICRON FILTER IS -UTI L IZED ' ON THE INLET AND OUTLET TO LIMIT THE 
POTENTIAL FOR CONTAMINATION CAUSED FAILURE OR GAMMING OF MOVING PARTS.. 


ORIGINAL PAGE Hi 
OF POOR QUALITY 
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SHUTTLE CRITICAL ITEMS LIST - 0R3 ITER 102 


SUBSYSTEM : AFT - REACTION CONTROL FMEA NO C3-2A -232L1G-1 RE/: 12/12/73 
(B) 2500 OPERATION' CYCLES (OPEN— CLOSE— OPEN ) ‘'•NO RANDOM VIBRATION AT 
ANTIC IPATEO MISSIGH LEVELS ARE PERFORMED DUP.IMG QU4L. ITEM IS USED 
DURING SYSTEM EVALUATION TESTS AT LSTP ALL GV I NG EVALUATION Uf4Dc p SIM- 
ULATED MISSION USAGE CONDITION. PROOF PRESSURE, LEAKAGE, CPEPATIQN , 
CONDUCTED AS PART OF PRE/POST FLIGHT CHECKOUT , (CJ A VISUAL I.NSP AND 
IDENTIFICATION IS PEPFORHED. CpNT AMINAT ION CON T3 dL PPOCESS, CORDS. 
PROTECTION OROVISIONS, NOE EXAM GF VjELDS, INS? FOR SURFACE AND 
SU3SURFACE DEFECTS 'AND PROPER ELECTRICAL TERMINATIONS, Ra'w MAT* L (LOT) 
CERTIFICATION, PARTS PROTECTION, COATING AND PLATINS PROCESSES ARE 
VERIFIED BY INSPECTION. M4NUF, INSTALLATION, AND ASSY rGP£R AT IONS ARE 
VERIFIED BY SHOP TRAVELER MANDATORY I MSP POINTS. THE A3CVE ITEMS AND 
THE FOLLOWING ITEMS wgRE VERIFIED BY AUDIT CONDUCTED JULY 1976/ 
CONTAMINATION CONTROL PLAN, PROPERLY MONITORED HANDLING AND STORAGE 
ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS A NO ECU IP AND MAT • L AN D EQUIP 
CONFORMANCE TO CONTRACT R.EQtfT S. TURNARC'JflD/^l'NCTI CNAL FlOL a LEAKAGE 
TESTS ARE MONITORED TC VERIFY ThAT VALVcS OPEN 4 NO CLC3E "*0*3? LYUPON . . 
COMMAND. { DJ NO PRIOR FAILURE HISTORY FOR THiS TYPE DESIGN. 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 

SUBSYSTEM AFT - RCS FHEA HUNGER 03-2A-2021 1 0-3 

ITEM Tank Isolation Valve, A. C. FAILURE MODE Fails Open 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE CQULO 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA- EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE -ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HAROWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM' LOGIC)’? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO' EITHER 1 OR 3 IS YES: 

A. . CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES [Xj*f!0 □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES [x}*NO ' Q 

*£XPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3-0 NO SOFTWARE DETECTION 5. Q ACCEPTANCE RATIONALE BELOW 

2.0 HARDWARE ACCEPTS RISK 4. (E3 DETECTION DURING CHECKOUT 6. Q RECOMMENDED CHANGES BELOW 


YES 

□ NO 

0 

*YES 

0 NO 

□ 

YES 

0*NO 

□ 

YES 

□ NO 

S3 

*Y£S 

Q NO 

□ 

i 

*YES 

□ NO 

S3 

*YES 

□ NO 

tu 

*o □ 

i *!□ 

2 ® 


N/A □yESQnoQ 


• • Qfhea CHANGE RECOMMENDED 

EXPLAHATION/COflMENTS: 

1A. Tank isolation valve discreets are available. 
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SHUTTLE CRITICAL ITEMS LIST - CRB ITER L02 


SUBSYSTEM : AFT - REACTION CONTROL 
ASSEMBLY : PROPELLANT F EED 
P/N ftl :MC2 34-0430-0007 /-00C3 
P/N VENDOR: 57 5 CO 25/5 7 50026 
QUANTITY : 12 •' 

sTHRSE VALVES °ER PROF 
JTANK 


FMEA MG 03— 2 A -202110-3 REV: 12/12/73 
ABORT: ABORT, . CRIT. FUMCs 2 


RTLS 

MISSIONS: HF 

PHASECS)-: PL 


CRIT. HDW : 
VF X FF CF SM 
LO X CC X 00 X LS 


PREPARED SY 

OES 

REL 


i 


REDUNDANCY SCREEN 

n 


R .GCN2AL£Z/P.i. 
C M AKERS 


APPROV 
DES jtJ&l 
REL <U£L 



' 71 / 77 * 


ITEM: VALVE, 

TANK ISOLATION 3 PHASE AGO HZ AC MGTCR iCTI JAT5G 
LV 361-366. 


: A-PASS B-PASS C-PASi 



.FUMCT ION:. 


THREE REDUNDANT ISOLATION VALVES ARE USED PER T *•*!.< ISOLATE GROUPS C? 

MANIFOLDS (ONE TANK ISOL VALVE CDNTPCLS 2 MANIFOLDS AND TwC PARALLEL 
I SOL VALVES CONTROL THE REMAINING 2 PRIMARY NANI -OLDS AND TIE VERNIER 
NAN I FOLD) THAT MAY EXH £3 I T OPEN CR LEAKAGE FAILURES AND TP ISOLATE THE 
T 4NK DUPING INTERCONNECT S fCS GR QMS CPCSSFESO n =£ 3 ATIC-NS . ALSO USED 
*0 PREVENT HELIUM INGESTION 7 C ENGINE 4* p^uP* -Nr^-GUT { 14VJAL S-ITCH)., 
FUEL £ CXIO VALVES- CAN BE •JPERa t ED INQ EP ENDENTLY FOR C/0. LI'>E PRESS 
RELIEF TO TANK IS PROVIDED. 


.FAILURE MODE: INTERNAL LEAKAGE (*=) 

. FAILS OPEN, FAILS TG CLOSE, FAIL TG REMAIN CLOSED. 

.CAUSE(S): 

. VIBRATION, LIMIT" SWITCH MALFUNCTION* STRUCTURAL FAILURE, SEAT CRACKS 
CONTAMINATION, CCRRGS, LOSS OF SIGNAL (RPC SHORTS ORJJPEN). 

• EFFECT ( S ) : ON ( A ) SUBSYSTEM ( B ) INTERFACES CCJ«ISSIC.N (0 1 CREW /VEHICLE: 

.. ( A ,3 ) LOSS OF REDUNDANCY - (MANIFOLD- ISOLATION). (CJ A 3 CP. T CFC (SIGN - 

PROPELLANT MANAGEMENT PROBLEMS DURING CRQSSFEED OPERATIONS. (D) NO 
EFFECT - CRIT 1 FOR RTLS- IF PCS TANK ISOLATION VALVE WILL NCT CLC-SS 


DURING OMS DEPLETION 3URN THE RC3 PROPELLANT MAY BE DEPLETED IF ASSOC 
MANIFOLD ISOLATION VALVES ARE NOT CLOSED. 

.DISPOSITION £ RATIONALE (A)OESIGN £3)TEST {C ) INSPECTION (D)FAILURE HISTORY: 
(A) AC MOTOR VALVE IS 3-PHASS - 2 OF 3 WINDINGS ARE A CSQUA T E FOR VALVE 
FUNCTION- PARALLEL (HYBRID) RELAYS PROVIDE REDUNDANCY FCR ELECTRICAL 
POWER SIGNAL. A 400-MICRON FILTER IS UTILIZED ON THE INLET AND OUTLET TG 
LIMIT THE POTENTIAL FOR CONTAMINATION CAUSED FAILURE CR' JAMMING OF 
MOVING PARTS. (3) 2500 OPERATION CYCLES (OPEN-CLOSE- OPEN) AMD RANDOM 
VIBRATION AT ANTICIPATED MISSION LEVELS ARE PERFORMED DURING OUAL* ITEM 
IS USED OURING SYSTEM EVALUATION TESTS AT WSTF ALLOWING EVALUATION UNDER 
SIMILATED MISSION USAGE CONDITION. PP.GQF PRESSURE,- LEAKAGE, OPERATION, 
CONDUCTED AS PART OF PRE/POST FLIGHT CHECKOUT. (C) A VISUAL IN5P AND 
IDENTIFICA ITCN IS PERFORMED. CONTAMINATION CONTROL PROCESS, CORQS. 
PROTECTION PROVISIONS, NOE EXAM OF WELDS, r.NSP FOR SURFACE AND 
SU8SURFACE DEFECTS AND PROPER ELECTRICAL TERMINATIONS, RAW MAT’ L t LOT) 
CERTIFICATION-, PARTS PROTECTION, COATING ANO PLATING PROCESSES ARE 
-VERIFIED BY INSPECTION. MAMUF , INSTALLATION , ANO ASSY OPERATIONS ARE 



ids 
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SHUTTLE CRITICAL ITEMS LIST - CRB ITER L02 


SUBSYSTEM :*FT - REACTION CONTROL FMEA NO 03-2A -202110-3 REVs.lZ/12/78 

VERIFIED BY SHOP TRAVELER MANDATGRY INSP POINTS. THE ABOVE ITEMS AND 
ThE FOLLOWING ITEMS WERE VERIFIED BY AUDIT CONDUCTED JULY 1976/ 

CONT AMINAT ICN- CONTROL PLAN, PFOPcRLY MONITORED HANDLING AND STORAGE 
ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS AFD ECUIP AND M AT * L AND E3UIP 
CONFORMANCE TO CONTRACT R EQMTS. TURNAROUND - FUNCTIONAL F LOW £ LEAKAGE 
TESTS ARE MONITORED TYO VERIFY THAT VALVES OPEN AND CLOSE ®RQ a ERL Y UPON 
COMMAND. CD) NO PRIOR FAILURE (-1 IS TORY FOP. THIS TYPE DESIGN. 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

SUBSYSTEM AFT - RCS . FMEA HUMBER 03 -2A-202 111-2 

ITEM- Interconnect Valve. A. C. - FAILURE MODE Fails Closed- 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY. 

- ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION- THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF ' 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER' BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY' EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HAROWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 1 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER I OR 3 IS YES: 

A-. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES f>Q*«0 Q 

B, WILL BFS TOLERATE- FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES Q*NO ' QE) 

•“•EXPLANATION REQUIRED (SEE BELOW) 


YES 

0 

NO 

□ 

*YES 

□ 

NO 

□ 

YES 

□ 

*NQ 

0 

YES 

□ 

NO 

□ 

*YES 

□ 

NO 

0 

i 

*YES 

□ 

NO 

-0 

*YES 

□ 

NO 

0 

*oC 

1 *H 

[1 

2D 


N/A □ YES0NO □' 


CHANGE /RETENTION RATIONALE SUMMARY 

1. Q NO H/S ISSUES 

2. □ HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. P3 DETECTION DURING. CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 
5. fH RECOMMENDED CHANGES BELOW 


In Flight Detectability 

□3 FMEA CHANGE RECOMMENDED 

EXPLANATION/COMHEMTS : 

1.. . "Failed off" thruster gives. first indication. 

6. One success path remains after first failure. 

8B. Same .as primary. 
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SHUTTLE CRITICAL ITEMS LIST - C?3ITe? 102 


SUBSYSTEM : AFT - REACT ION CONTROL F.M6A MC 32-2A -Z02LU-Z RSV: 1 2/12/7=- 
\SSE m BLY J PROPELLANT FEED ASCRT: ABORT , C 7 1T. FUNC: 2* 

P/N R I :.MC2 84-— 04-3 0— 30 J 7 /'-0003 R*LS CR IT. HOW : 3 

?/N VENDOR: 5750025/5750026 MISSIONS: HF 7F X FF "-F SM 

QUANTITY PHASE(S): PL LO X CO X JO X LS 

sTkO INTERCONNECT LIMES 
:?ER PROPELLANT TANK 

REDUNDANCY SCREEN: - 4-PASS E-PASS C-PASS 

PREPARED 3Y: APPROVER BY: / APPROVED SYOMAS/)) : fl / 

DE 5 R GONZALEZ jf$. UES /%f IC\ . S5M 

oci r.-aAtciot 3ci (L.f* s&jj . . , yf/r* a ex A c i r fr T\ n L /T L 


ITSMJ _VALV6._ 
INTERCONNECT. 

FUNCTION: 


C rt AKERS- REL ^^f[L.J^3aM^AaL~. 

AkBROvEO WITH CHANGES 
See Section 13.0 


PRESSURE RELIEF TOWARDS P"CP TANK IS PROVIDED. 

.FAILURE «*?C = : r AILS Cl vSe ' (F) 

. FAILS TO REMAIN OPEN. • ; 

• i» AUsElS): 

. VI? , LI y IT SF FAILURE, PREMATURE °G'.i£R TO .'-DTP, ELECT? I C A L SHORT RPC 
CPE'!, JAMMING OF Ci*. 

..EFFECT IS): ON {A1SU3S V ST=M { 3 ) INTERFACES (C)’’ISSICM ( “* ) C - c V/ VEH ICLE : 

. ( A) LOSS CF REDUNDANCY. {"} DEGRAQATICN OF INTERFACE 

FUNCTION-CROSS FED PROP CAN PE UTILIZED BY ONLY 2 OF 4 " * FCLD 3ANKS- 
[ Cl MISSION MODIFICATION— OPERATION CHANGES F C~ ITEM S A3CVE. % (0) NC 

EFFECT FOR OFT MI-SSICMS (LOSS OF THRUSTER MAY PE CRITICAL FOR R T L3 IN 
SUBSEQUENT MISSIONS FCR CMS DEPLETION BUSH). CR IT l FOR RTLS - LCSS OF 
1 MANIFOLD FORWARD £ L MANIFOLD AFT IS CRITICAL FOR ET SEPARATION £ 
MATED COAST DURING RTLS. SINGLE COMPUTE? FAILURE COULD RESULT IN THIS 


.DISPOSITION £ RATIONALE CA)nc SICN (b)TEST (C ) INSP ECTION { 0 ) FAILURE HISTORY: 
. (A) AC .MOTOR VALVE IS 3-PHASE - 2 QF 3 WINDINGS ARE ADEQUATE FOR VALVE FUNCTION. 

StRIES (HYBRID) RELAYS PROVIDE REDUNDANCY FOR THE PREMATURE CLOSE MODE. PARALLEL 
(HYBRID) RELAYS PROVIDE REDUNDANCY FOR ELECTRICAL POWER SIGNAL. ADDITIONALLY, 

REOUNOANT VALVES ARE PROVIDED. A 400-MICR0N FILTER TS UTILIZED ON THE INLET AND 
OUTLET TO LIMIT THE POTENTIAL FOR CONTAMINATION CAUSED FAILURE QR JAMMING OF MOVING 
PARTS. (9) 2500 OPERATION CYCLES (OPEN -CLOSE-OPEN) AND RANDOM VIBRATION AT 
•ANTICIPATED MISSION LEVELS ARE PERFORMED DURING QUAL. ITEM IS USED DURING SYSTEM v 
EVALUATION TESTS AT WSTF ALLOWING EVALUATION UNDER SIMULATED MISSION USAGE CONDITION, 
PROOF PRESSURE, LEAKAGE", OPERATION, CONDUCTED AS PART OF PRE/POST FLIGHT CHECKOUT. 

(C) A VISUAL INSP ANO IDENTIFICATION IS PERFORMED. CONTAMINATION CONTROL PROCESS, 
CORDS'. PROTECTION PROVISIONS, NDE EXAM OF WELDS, TNSP FOR SURFACE AND SUBSURFACE 
2^45 AND PR 9 P£R e, - ECTR ICAL TERMINATIONS, RAW MAT'L (LOT) CERTIFICATION, PARTS - 
-PROTECTION, COATING ANO PLATING PROCESSES -ARE VERIFIED 8Y INSPECTION. MANUF, 
INSTALLATION, AND ASSY OPERATIONS ARE VERIFIED 8Y SHOP TRAVELER MANDATORY INSP 
POINTS. THE ABOVE ITEMS AND THE FOLLOWING ITEMS WERE VERIFIED BY AUDIT CONDUCTED 


3.022 
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• SHUTTLE CRITICAL ITEMS LIST - CRB ITER 102 


SUBSYSTEM :AFT REACTION CONTROL FMEA NO. 03-2A-202111-2 REV: 12/12/78 

JULY 1976/CONTAMINATION 'CONTROL PLAN, PROPERLY MONITORED HANDLING AND 
STORAGE ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS AND EQUIP AND MAT’L 
AND EQUIP CONFORMANCE TO CONTRACT REQMTS. TUHNAROUND/FUNCTIQNAL FLOW & 
LEAKAGE TESTS ARE MONITORED TO VERIFY THAT VALVES OPEN AND CLOSE PROPERLY 
UPON COMMAND. (D) NO PRIOR FAILURE HISTORY FOR THIS TYPE DESIGN. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 
SUBSYSTEM AFT - RCS FMEA HUMBER 03-2A-2021 20-3 

ITEM Manifold Isolation Va 1vp ; A. C. FAILURE MODE Fails Closed 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

YES 

□ NO 

a 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

♦YES 

□ NO 

p 

2. 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

GO *N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING. HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

[X] NO 

□ 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

♦YES 

□ NO 

□ 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? ' - 

♦YES 

□ NO 

0 

5. 

CAN' THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

♦YES 

□ NO 

0 

S. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

*0 □ *lQ 2 |T] 

7. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

n/a-OyesDnoO 

3. 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE 8FS BE ENGAGED AFTER OCCURRENCE? 

YES 

GO*no 

□ 


3. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

QO*no 

□ 


♦EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

1 . □ NO H/S ISSUES 3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. □ HARDWARE ACCEPTS RISK 4. KJ DETECTION DURING CHECKOUT 5. □ RECOMMENDED CHANGES BELOW 


0FMEA CHANGE RECOMMENDED 


EXPLAHATION/COMMENTS : 

3. RCS RM automatically detects and prevents thrusting. 
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SHUTTLE CRITICAL ITEMS LIST - CRBITcR 102 


SUBSYSTEM : AFT - REACTION CONTROL 
•ASSEMBLY 5 PROPELLANT FEED 
•P/N RI :MC 234-0430-000 L/— 300 2 

♦ P/M V EjM 00 R: 573 002 3/57 50024 

• QUANTITY SL6 

* SFGUR PRIMARY VALVE MANX — 

• 2F0LCS PER PROP 


FMEA MG 03— Z A 
ABORT I 43CPT, 
RTLS 

MISSIONS: HF 

PHASEtS): PL 


-232120-3 . REV; 12/12/72 

c?:t. func; iz 

CRIT. HOW: 3 

VF X FF CF SM 
LG X CC X DC X LS ' 


REDUNDANCY SCREEN: 4-PASS 5-PASS C^PASS 


i 


•PREP AREO 3Y: APPROVER 3YS 

•OSS R. GONZALEZ. DES &.L& ' 

• ReL CM AKERS SEL <L : . 



•ITEM: VALVE 


p - -JCOJL 

f ApfevED WITH CHANGES 
See Section 13.0 


• MANIFOLD ISOLATION. 3 PHASE. 400 HZ AC MOTOR flPFRATFD fMS-ZnnV) M 1/2" 
1 1/4" OUTLET). ' 

♦FUNCf IGN: — ~ = 


• 1) TO ISOLATE THRUSTERS PRC** PROPELLANTS PR ICR TG SYSTEM AG TIVATTC* 1 A .NO 
2) TO ISOLATE A FAILED OPEN THRUSTER OR DOWNSTREAM LEAK. EACn 
MANIFOLD ISOLATION VALVE CONTROLS 3 Qc IMARY THOUSTP^S, LIME o^ESSURc 
RELIEF TOWARDS PROP TiMK is PROVIDED. 

.FAILURE MODE: FAILS CLOScO-PKSMATURE (P) 

• OPERATION^ FAILS r G REMAIN rpc'l. 


.CAUSEtS): 


V I BRAT ION » LIMIT SWITCH MALFUNCTION, pftP^A^UFE °0W =R TO MCTCF. 


P» STATURE MOTOR SIGNAL. 5 SHORT. 

. EFFECT { S ) : ON ( A 5 SUBSYSTEM { 3 ) INTERFACES (C) MISSION (0 3 CR EW/V EH ICL5: 

. (A) l 5) LOSS OF REDUNDANCY-LOSS OF PRO? FLO £ USE 0 3 PRIMARY 

THRUSTERS (l CF 4 MANIFOLDS). (C)(0) NO EFFEC T FG= SINGLE FAILURE FOR 
OFT MISSIONS (LOSS OF THRUSTER ^AY 3E CRITIC*.!. for rtl S IN 3UBSE0UENT 
MISSIONS FOR CHS DEPLETION BURN). CR IT I FGF RTLS - LOSS CF I MANIFOLD 


FORWARD S 1 MANIFCLOAFT IS CRITICAL FCR- ET SEPARATION S MATED COAST 
DURING RTLS. SINGLE COMPUTER FAILURE COULD S ESLL T IN THIS Ty°E 
CONDITION. (E) FUNCTIONAL CRITICALITY EFFECT - 3CS3ISLS CREW/VEHICLE 
LOSS DUE TO INABILITY TO USE RCS IF ALL MANIFOLD VALVES FAIL CLOSED. 

.DISPOSITION £ RATIONALE ( A ) DESIGN (B) TEST (C) INS a EC T I:3N ( D 5F AIUJRE HI STORY:. 

. (A) AC MOTOR VALVE TS 3 -PHASE - 2 OF 3 WINDINGS ARE ADEQUATE FOR VALVE FUNCTION. 

SERIES (HYBRID) RELAYS PROVIDE REDUNDANCY FOR THE PREMATURE CLOSE MODE. PARALLEL 
(HYBRID) RELAYS PROVIDE REDUNDANCY FOR ELECTRICAL POWER SIGNAL. ADDITIONALLY, 

REDUNDANT VALVES ARE PROVIDED. A 400-MICRQN FILTER IS UTILIZED ON THE INLET AND 
OUTLET TO LIMIT THE POTENTIAL FOR CONTAMINATION CAUSED FAILURE OR JAMMING OF MOVING 
PARTS. (8) 2500 OPERATION CYCLES (OPEN-CLOSE-OPEN) AND RANDOM VIBRATION AT 
ANTICIPATED MISSION LEVELS ARE PERFORMED DURING QUAL. ITEM IS USED DURING SYSTEM 
EVALUATION TESTS AT WSTF ALLOWING EVALUATION UNDER SIMULATED MISSION USAGE CONDITION. 
PROOF PRESSURE, LEAKAGE, OPERATION, CONDUCTED AS PART OF PRE/POST FLIGHT CHECKOUT. 

(G) A VISUAL INSP AND IDENTIFICATION IS PERFORMED. CONTAMINATION CONTROL PROCESS, 

CORDS. PROTECTION PROVISIONS, NOE EXAM OF WELDS, INSP FOR SURFACE AND SU8SURFACE 
DEFECTS AND PROPER ELECTRICAL TERMINATIONS, RAW- MAT' L (LOT) CERTIFICATION, PARTS 
-PROTECTION, COATING. AND PLATING PROCESSES ARE VERIFIED BY INSPECTION. MANUE, 
INSTALLATION, AND ASSY OPERATIONS ARE VERIFIED BT SHOP TRAVELER MANDATORY INSP 
■ POINTS. THE ABOVE ITEMS AND THE FOLLOWING HEMS WERE VERIFIED BY AUDIT CONDUCTED 
JULY 1976/CONTAMINATION CONTROL PLAN, PROPERLY MONITORED HANDLING AND STORAGE 
ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS AND EQUIP AND MAT’L AND EQUIP CONFORMANCE 


SD75-SE-0003 
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SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM :AFT - REACTION CONTROL FMEA NO. 03-2A-202120-3 REV: 12/12/78 

TO CONTRACT REQMTS . TURNAOUND/ FUNCTIONAL FLOW & LEAKAGE TESTS ARE MONITORED 
TO VERIFY THAT VALVES OPEN AND CLOSE PROPERLY UPON COMMAND. <D) NO PRIOR 
FAILURE HISTORY FOR THIS TYPE DESIGN. 



.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-07 03-2 

SUBSYSTEM AFT RCS FMEA NUMBER 03-2A-2021 40-1 

-ITEM Manifold Isolation Vaivp. n.r FAILURE mode Fails Closed 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (T.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES 

□ NO 

0 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

★YES 

□ M 

P 

2. 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT OETECTABILITY? 

YES 

0 *N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

m no 

□ 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

★YES 

□ NO 

□ 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

★YES 

□ NO 

0 

5. 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

★YES 

□ NO 

0 

6. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION ANO HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

*0 □ *lQ 2D 

7. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

M/A QyEsOOhoQ 

3. 

IF THE ANSWER- TO EITHER 1 OR 3 IS YES: 





A. CAN THE BFS 8E ENGAGED AFTER OCCURRENCE? 

YES 

0*NO 

□ 


B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

Q*no 

-□ 


★EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RSTEHTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3.0 NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2.0 HARDWARE ACCEPTS RISK 4.QJ DETECTION DURING CHECKOUT 5. □ RECOMMENDED CHANGES 8EL0W 


□FMEA CHANGE RECOMMENDED 

EXPLANATION/ COMMENTS: 

3. The RCS Redundancy Management software will inhibit the firing of those jets associated 
with the failed valve. 

6. There are no success paths remaining after first failure. 

8B. Same as primary. 
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SHUTTLE CRITICAL ITENS LIST - CRDITSR L02 


SUBSYSTEM : AFT - REACTION CONTROL 
ASSEMBLY : PROPELLANT FEED 
P/N RI : MC2 34— 0420— QOll /—OC l 2 

P/N VENDOR: 7 38 95 
QUANTITY : 4 

:TVQ PER MODULE 


FMSA' MC 03-2 A -202140-1 REV: 12/ 12/70 
A30R i • ej i v i"T . 

CHIT. HDV»: 2 

MISSIONS: HF V F X Fr DF SM 

PHASE {5.) : PL LH CC X 00 LS 


PREPARED 8Y : 

DES- R« BURKHART 

REL C M AKERS 


REDUNDANCY SCREEN: A-P ASS 3-PASS C-FAIL 


APPROVED/ 3Y: ,, 

OS 

REL <LS 


dc.... 


APPROVED 8Y /(MASfc ) : 


/ */r ? 




fi 

MED WITH CHANGES 


ITEM': VALVE. 

MANIFOLD ISOLATION* VERNIER T HPUST£R, SCLENO 
(LATCdING) LV 258/257/357/053. 

FUNCTIGN: 

TO PROVIDE VERNIER THRUSTER ISOLATION:.!) PP 
AMD 23 IN THE EVENT OF A RUNAWAY THRUSTER OF 
FAILURE MODE: FAILS CLOSED. < P 1 


See Section 13.0 
ID (2SVDCJ 3 l-S T ADLE 

ICR *0 SYSTEM *-C T IV AT ION 
■•!M(FOLD leak. 


CAUSELSU 

IMPROPER SLrC T RIC AL SIGNAL 


(CONTINUOUS SHORT). OR LC-t '-VON 


IC FP ! ' C E 


FROM' LATCHING MAGNET , -<=C W SKCK, VI3. t CLNYA« 
. £F C ECT ( S ) : QN { A ) SUBSYSTEM ( S ) INTERFACES CO'MISS 
- (A) LOSS OF FUNCTION (VEPMISP. THRUSTER). (8) 

SUBSYSTEM-PAYLOAD MANIPULATION. (C) MISSION 


(AIR GAP) . 

ICN (0 )C=Er/VEHICLF: 
QFGRA 0 AT I i~v. OF [N T EP 
MODIFICATION CP A3CPT 


p > — 


DEC IS ION. 


(0) NO EFFECT UML = 3S ADDITIONAL FAIUJ°£S CCCU 0 . 


DISPOSITION £ RATIONALE (A)OSSIGN (8)te$T (C ) INSPECT CON ( 0 ) FA ILMR E HI STORY: 
(A) SERIES SWITCHES (S’CS) MINIMIZE POTENT PC' 3 1‘UCVEP. -'CTUA'IGM. 

PARAL SWITCHES (RPC'S) PROVIDE ELECT P£DUN FOP T«£ OPENING SID. 


AN INDUCT VGLTAGE. SURGES CIRCUIT IS PRGV IN- THE ELECTRICAL SYSTEM TO 
PRcV DAMAGE TO OTHER ON-LINE CCMP. REDUNDANT DIODES LIMIT THE PQSS OF 
OIQOE FAILURE ALLOWING CURRENT SHUNT FROM THE CCTL. 


• 100 MICRON FILTER IS ~PRCV TO LI* I 1 * t HE ?OSS O F CPN'T A-M CAUSING ~ 

JAMMING MOVING PARTS. : : TO LIMIT THE 

ELECT' SHORT POTENT, THE LEAD AND MAGNET VIRES APE EMC A? EY 5 CT I.\G AND 
A FIXTURE ISJJSED DURING .ASSEMBLY TO ENSURE THAT INSUL IS NOT DAMAGED 
3Y THE EXIT NOTCH. WHEN THE COIL JiLEE/S'- I S PRESSED ONTO THE COIL. (3) 

2000 CYCLES (ON— GFF-FLCW I AND RANDOM Vie AT ANTIC MISSION LEVELS APE 
PEPF DURING QAl. ITEM IS USED DURING SYS EVAL TESTS AT VSTF ALLOWING 
EVAL UNDER SIMUL MISSION USAGE CCNO. PROOF PRESS, LEAKAGE,. CPSR AMD 
INSUL TESTS ARE PERF DURING ATP. APPPOP LOCATED TEST PGINTS ALLOW 
P° E/POST FLIGHT LEAKAGE TESTS AND OPER TESTS ARE ALSO CQHC AT THIS TIME. 
(C>. AND IDENTIF IS PERF AND THE UNIT TAGGED. CONTAM CONT PROCESS, 
CORROS..' PROT PROV. NDE EXAM. GF WELDS AND 3PAZES.- INSP . FOR SURFACE A-'’Q 
SU8SURFACE DEFECTS AND PROPER ELECT TERMINATIONS APE VER IF BY INSPECT. 
THE POLL ITEMS ARE VER IF 3Y SHCP TRAELER INSP. POINTS- RAW MAT’ L (LOT 
CERTIFW PARTS PROT, MANUF., COATING, PLATING, INSTALL AND ASSY OPER. 
THE- ABOVE ITEMS AND THE FOLLOWING ITEMS WERE VERIFIED 8Y AUDIT. COMO 
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SHUTTLE CRITICAL ITEMS LIST - CFSITER 102 


SUBSYSTEM : AFT - REACTION CONTROL FMEA rtQ 03-24 -202140-1 REVS12/12/73 

3-31-77. CONTA.M CONT PRCC, CGRRQS. PRGT »RGV TURNAROUND- FUNCT FLOW 
TESTS ARE MCNIT TQ VERIFY THAT VALVES OPEN AND CLOSE' PROPERLY UPON 
COMMAND. (D) APOLLO FAILURES WERE MAINLY ASSCC W I TH REVERSE POLARITY 
AND DEGU4SSING OF MAGNETS. THE SHUTTLE VALVE UTILIZES A CCNNECTOR 
{RATHER' THAN LEAD WIRES! AND A BLOCKING DIODE WHICH PREVENTS THIS TYPE 
OF ERROR DURING COMM. DEVEl TEST ( AND AN At SHCW-D PRESS SU»GE FATIGUE 
PROBLEM. THIS IS BEING RESOLVED 3Y REDUCING" THE LIFE OF Th£ VALVE TG 50 
MISSIONS. 
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5. 


8 . 


SUBSYSTEM AFT „ RdS 

ITEM Propellant Fill & Bleed Disconnect 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

FMEA NUMBER Q3-2A-2021 50-1 

FAILURE MODE Fails Open 


1 . 


la. 


2 . 


3. 


3a. 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION III RESPONSE)? 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION' THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? . . 

DOES THE FLIGHT SOFTWARE TAKE ACTION to NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

IF CREW ACTION IS REQUIRED TO RESPOND TO' THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 


IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BPS BE ENGAGED AFTER OCCURRENCE? 

B. WILL 8FS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 
* EXPLANATION REQUIRED (SEE BELOW) 


YES 

m 

NO 

□ 

*YES 

□ 

NO 

P 

YES 

□ 

*NQ 

m 

YES 

□ 

NO 

X 

*YE$ 

□ 

NO 

0 

i 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

0 

*o C 

! *i(x] 

20 


N/A □YEsQiioQ 


YES (lJ*NO □ 
YES O*N0 □ 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2.0 HARDWARE ACCEPTS RISK 


3. P NO 'SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


6., Q ACCEPTANCE RATIONALE BELOW 
6. □ RECOMMENDED CHANGES BELOW 


In Flight Detectability 
OQFMEA CHANGE RECOMMENDED 

EXPLANATION/COMMEHTS : 

1. Gross leak detection will give first indication. 

6. There is one success path remaining after the first, failure. 

8B. Same as primary, 

2. Measurements V42P2313C, 231 5C, 2313C and 331 5C are not listed in the MML. 
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SHUTTLE CRITICAL ITEMS LIST - CP.oITER 102 


SU 5 SYSTEM JAFT - REACTION CONTROL 
ASSEMBLY : PROPELLANT 
P/N RI :MC276~0Qi3 
P/N VE?JCGR:7£3C1000 S' 76306000 
QUANTITY llj 

: VEHICLE 
: S/POD- - 
| 2 OF Ml IN. 


FMEA NO 03-24 -202150-i 


REV 1 11/03/7 


ABORT; 

MISSIONS: 
PHASE IS): 


CRIT. FUNC: 
CP IT . h LW : 


1 

I 


H c 

PL 


V F X 
LO X 


FF 

CO 


OF 

00 X 


SM 

LS 


PREPARES BY? 
DES 
REL 


4 PFJ/4_IN... 

C SCARLETT 
C M- AKERS 


REDUNDANCY SCREENS 

;y : 




A— N / t 2-N/A 

APPROVEo/sy {5 
SSM 

'^QVED WITH CHANGES 

ITEM; DISCONNECT- FILL S BLEEO SeS Sect-ion 13,0 

PROPELLANT , SPRING LOADED POPPET V. ITH STRUCTURAL CA?(1/V S 1/2"}- 
F UNCTICNT 

TO PROVIDE FOP VENTING A NO BLEEDING PROPELLANT TANKS DURING SERVICING. IN 
VERTICAL VEHICLE ORIENTATION- ONE INCH COUPLING, (FUEL-LEFT PGD AND 
CX-PIGHT PCD) SERVICES ARCS AND CMS. ITEM LNCCR C GR4TFS SECONDARY 
INTERNAL SEALS AND HAS A PRESSURE CAP WHICH IS R ED UNO AMT SEAL. CAP 
INSTALLED PR ICR T3 FLIGHT. 

.FAILURE MODE: FAILS OPEN. (SI 

. CAP LEAKS IN EXCESS C* c ACCEPTABLE RATS, SrALS C AM AGED R E T A IN I “K» NUT 
LOOSENS NEGATING CAP SEAL REDUNDANCY. 

. CAUS E ( S ) : 

, VI 3° A T ION , PIECE P'xPT 3TP’JC~U*AL ?AIL’J°E, ‘-'ECHA '-'T C 'L SHOCK 

EXCESS TORQUE, SEAL DAMAGE, NO LINE SUPPORT- SH A -T OR CORE BENT, I.NAOEQ 
J*A I NT GF GSS HALF. 


, EFFECT (SI: ON { A } SUB 3YST=M ( I ) INTERFACES (OMISSION ( D) CR EV/VEh ICLE = 

. (A) LOSS GF SUBSYSTEM PROPELL.AN’’’ . (8) DEGRADATION CF INTERFACE 

SUBSYSTEM (PROPELLANT EFFECTS}. IC) LAUNCH DELAY OR A 5 CRT DECISION. 

( D) POTENTIAL CREW LOSS -DURING MI3SIGN IF PFCPELLAN'T CANNCT BE UTILIZED 
OR DEPLETED. 

.DISPOSITION £ RATIONALE ( A ) DESIGN ( 3 } TEST (C ) I NS ?ECT ICN ( D } FAILURE HISTORY: 
(A) F.S. IS 2.*0 X WORKING PRESS. GROUND HALF COUPLINGS AND LINES ARE 
ADcQ SUPPORTED TO. LIMIT ANY UNDUE STRESS <DN THE COUPLING DURING SERVICE 
AND PP.EV DAMAGE TO SEALS. A SAFETY FEATURE PRIOR TO 

REMOVAL OF THE END CAP IS A PROV WEREBY ANY LEAKAGE PAST THE AIRBORNE 
POPPET SEAL CAN BE VENTED OVERBOARD BY. ROTATING A 3LEED SCREW . COMPLETE 
STRESS ANAL HAS SEEN CONDUCTED- UTIL OF STRUCT CAP MINIMIZES LEAKAGE 
POTENTIAL AND PROVIDES A REDUNDANT SEAL EXCEPT Fa* 3 STRUCT FAILURE. 

IB) THE COUPLING IS SUBJECT TO 600 OPER CYCLES (COUPLING AND UNCOUPLING) 
DURING QUAL IN ADDITION TO PRESS SURGE CYCLING AND PROP EXPOSURE TESTS. 
RANDOM VI 3 TESTING IS ALSO CONDUCTED AT ANTIC VFH LEVELS FOR 34 MINUTES 
IN EACH AXIS. USAGE DURING SYS SVAL TESTS AT WSTF ALLOWS EV4L UNDER 
ACTUAL USAGE COND. PROOF PRESS TESTS ARE CONDUCTED DURING AT n £ LEAKAGE 
TESTS ARE PERF 8EFGRE £ AFTER OPER CYCLES. (C) AN IDENT IS PERF. P.AW 
HAT *L ND6 EXAM, VISUAL INSP FOR SURFACE DEFECTS, £ EQUIP CONFORMANCE TO 
CONTRACT REQMTS ARE VERIF BY RECEIVING INSP. MEASUREMENT STANDARDS £ 
TEST EQUIP. STANDARDS ARE IMPLEMENTED PER REQMTS CF MIL SPECS. THE 
FOLLOWING ITEMS ARE VERIF BY SHOP TRAVELER MANDATORY INSP PCINTS-PARTS - 
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SHUTTLE CRITICAL ITEMS LIST - CR6ITER 102 


SUBSYSTEM : AFT - REACTION CONTROL FMEA NO 03-2A -202150-L REV : 1 1/08/ 

PROT, NFG. PROCESSES, COATING, ASSY A NO INSTALLATION. THE 4B:VE ITEMS 
Z THE FOLLOWING ITEMS WSPS VERIFIED BY AUDIT CONDUCTED 5-23-77. CO 0 POS 
PROT PROV, CO NT AM CONT P^GCESSES, TEST HANDLING, S 3TGRAGE ENVIR. 

THE FOLLOWING ITEMS WERE VERIFIED BY AUOIT.GF MARCH 6, 1973. INSPECTION 
VERIFIES ASSEMBLY PER INSPECTION POINTS IN MASTER RECORD. LOG OF CLEAN 
ROOM ANO CALIBRATION OF TOULS VERIFIED. CRITICAL DIMENSION 100? 

VERIFIED 3 Y INSPECTION., PjARTS CLEANLINESS ANO ^iSSIVATICN 3Y 
.INSPECTION. NOE INSPECTION PERFORMED 4F T ER ASSEMBLY. 
TURNAROUND-COUPLINGS ARE VISUALLY INSP FOR EVIG OF DAMAGE SEALS Z LEAK 
TESTS ARE PERFORMED. (0) APOLLO' FAILURE HISTORY WAS' IN THE MAIN ASSOC 
WITH GROUND USAGE, IMPROPER HANDLING. 


S 30 
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SUBSYSTEM 


AFT - RCS 


ITEM Propellant Tank Assy. 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

FMEA NUMBER Q3-2A-21 1 1 1 0-1 

FAILURE MODE External Leak 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA. EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING' HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM, LOGIC) 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE' OVERSTRESS THE HARDWARE OR- 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 

OTHER FUNCTIONS? ! 

6. HOW MANY OF- THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO ‘EITHER 1 OR 3 IS YES: 

__ A., CAN THE BFS BE ENGAGED- AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF' CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES 

0 

NO 

□ 

♦YES' 

□ 

NO 

□ ' 

YES 

m 

♦NO 

□ 

YES 

t 

□ 

NO 

0 

■ *YES 

□ 

NO 

0 

♦YES 

□ 

NO 

0 

♦YES 

□ 

NO 

0 

*0 [X] *lQ 

tU 


n/a □yesQQnoQ 


YES Qg*HO □ 
YES □*NQ □ 


CHANGE/ RETENTION RATIONALE SUMMARY 

T.Q NO H/S ISSUES 

2. [Xj HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6 . D RECOMMENDED CHANGES BELOW 


’ □FMEA CHANGE RECOMMENDED 

EXPLAMATION/COMMENTS : 

1. Gross leak detection qives first ind.ir.at.inn. . 

6. Pod redundancy. 

8B. Backup flight system same as primary. 
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SHUTTLE CRITICAL ITEMS LIST - ORBITS? IOZ 


SUBSYSTEM : AFT - REACT I CM CONTROL 
ASSEMBLY rPROPcLLANT FEED • 

P/M RI : M C2 32— 0 06 1 - DO 0 L * —0 0 C2 


FMEA MC 03- 2A -21 LUO-1 ' REV: 11/03/7S 
ABORT: CRIT. FUMC: L 

CP IT . KDW : 1 


P/M VENDOR: 355C3310CG0-O1G ,-020 MISSIONS: ME 

QUANTITY :a PHASE { 5) -‘ PL X 

:TWG PER 
: MODULE 

‘ •" » REDUNDANCY SCREEN: 


PREPARED BY: 

DcS R 3 EM IS 

REL C M AKERS 


APPROVED BY: 

OSS ... 

REL £. Z . ^ _ _ 


ITEM: TANK ASSY* PROPELLANT 


VF X Fr Or SM 
LO X OC X DO X LS 


A— N/ 1 a-N/A C-N/A 

a v it \\ x tr A4 \ • 



3 ROVED WITH CHANGES 
See Section 1370 


INCLUDING ACQUISITION DEVICE AND R ET5N T ION SC^rS'iS 1 1-5 FACTO 5 CF 
SAFETY") TK 203/204/303/304. 


FUNCTION: 

TG STGRE/SUPPLY PROPELLANT FCR REACTION CONTROL ~HR , J3 T E?S. TANK SHELL 
CONTAINS PROPELLANT AND ACQUISITION DEVICE RETAINS PROPELLANTS FOR ADEQUATE FEED 
DURING rG", 0“G" AND HIGH "G" CONDITIONS. REGULATED HELIUM IS, SUPPLIED TO THE . 
ULLAGE TO FORCE PROPELLANT TO THE .THRUSTERS AS REQ 1 D . 245 PSIA (+ OR -15) 

(17.95 CUBIC FEET). 


FAILURE «GCE: STRUCTURAL FAILURE (F) 

EXTERNAL LEAK. TANK HALL C^iCK OP SEAL FAILURE.' 
CAUSE) S ) : 


•“•ECH SHOCK, FAT IGUS/V t a , CVERPRESS, STRESS CC wb CS* I '•'PROPER P»G P -»u c I T '*'- 
GR TEST FLUID, OVER TEMP, PLUME- OR REENTRY GASES, STRESS ®ISE?, >ELD 
OP. MAT* L DEFECT, INCORRECT CO DAMAGED SEAL. 

EFFECT! 3): ON ‘C A) SUBSYSTEM ( S 1 INTERFACES (C ) MI SSISN ( 0) CP. EW/V5H ICLE: 

(A) LCSS OR DEGRADATION OF SUB-SYSTEM DEPENDENT CM EXTENT CF FAILURE. 

( B ) LCSS OP DEGRADATION CF INTERFACE SUB-SYS T=*-AFT RCS t p GD , TPS DR 
V5H DAMAGE. (C) ABORT DECISION. (D) POSSIBLE LCSS OF CPfW/VEHICLE 
(EXPLOSION, LACK OF PROPELLANT OR INABILITY TC DEPLETE OPPOSITE 
PROPELLANT). 

DISPOSITION 6 RATIONALE (A)OESIGN {S)TEST (C > INSPECTION ( DIFAILURE HISTORY: 
(A) THE F-S. (BURST) IS 1.5 X WORKING PRESSURE. COMPLETE STRESS 
ANALYSIS FOR EACH TANK SEGMENT WAS PERFORMED. TANK IS CLASSIFIED AS 
FRACTURE CRITICAL FOP. HANDLING AND IS SUBJECT TO FRACTURE CONTROL 
REQMTS. ALL FITTINGS ANO FLANGES USED ON THE TANK HAVE DUAL ELASTOMER 
SPRING LOADED SEALS- (3) DUAL REQUIRES 800 PRESSURE WITH ( INCLUDING 
200 EXPULSION CYCLES AND A 30 DAY CREEP AND PPCPELLANT EXPOSURE TEST. 
PROOF PRESSURE ( L.3X WORKING PRESSURE) AMO LEAKAGE TESTS A*J£ PERFORMED 
DURING ATP- RADIOGRAPHIC ANO DYE PENETRANT TESTS APE PERFORMED TO 
VERIFY NO PERMANENT DEFORMATION OR FLAW GROWTH. WELDS APE VISUALLY 
INSPECTED FOR EVIDENCE OF STRESS RISER OR OTHER FLAWS. 1C) AN 
IDENTIFICATION IS PERFORMED ANO THE UNIT TAGGED- RAW M4T*(_ AND 
PURCHASED COMPONENT RcCMTS ARE VERIFIED BY RECEIVING INS?. MEASUREMENT 
STANDARDS AND TEST EQUIP. STANDARDS ARE IMPLEMENTED PER REQMTS OF MIL 
SPECS- THE FOLLOWING ITEMS ARE VERIFIED BY SHOP TRAVELER MANDATORY 
INSPECTION POINTS- PARTS PROTECTION, HFG. PROCESSES, FINISHES, ASSY A.hD 
INSTALLATION- THE ABOVE ITEMS ANO THE FOLLOWING ITEMS WERE VERIFIED BY 


991 

94 


S D75 -SH -0003 



SHUTTLE CRITICAL ITEMS LIST - CRB ITER LOS 


SUBSYSTEM : AFT - REACTION CONTROL FMEA NO Q3-2A -211110-1 REV:1I/CS 
AUDIT CONDUCTED U-l-76. CORROSION PROTECTICN PROVISIONS, TEST 
HANDLING, AND STORAGE ENVIRONMENTS. TENSILE, HEAT TREAT ANO WELD 
SAMPLES ARE TESTED DURING IN-PROCESS FABRICATION I M AOOITICN TO X-RAY 
ANO DYE P6NTRANT INSPECTION FOR SURFACE ANO SUBSURFACE DEFECT'S . BOTH 
CSLTIFIEO WELDERS AND CERTIFIED INSPECTORS ARE USED FOR ALL WELDS. 
TURNAROUND- INSPECTION TO 'MONITOR FUNCTIONAL TEST CURING PRESSURIZATION 
CYCLE FOR EVIOENCE OF LEAKS. LEAKAGE TESTS ARE PERFORMED AFTER 
INSTALLATION INTO THE SYSTEM AND P ER 10 DICA LL V AS PART OF CHECK-OUT 
PROCEDURE PRIOR TO FLIGHT. PRESSURE CYCLES ACCUMULATED' APE ALSO 
RECORDED. (OJ APOLLO FAILURES. WERE ASSOC. WITH INCORRECT TES 7 FLUID 
I METHYL ALCOHOLS •» IMPROPER PROPELLANT NO CONTENT, ,STRFSS P !$5 3 OR TEST 
ERROR RESULTING IN CREATION CF VACUUM. CORRECTIVE ACTION WAS TAKEN FC-- 
ALL OF A3QVE FAILURES AND ALSO IMPLEMENTED CN SHUTTLE. 
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SUBSYSTEM AFT- RCS 


ITEM Propellant Tank Aasv 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

FMEA NUMBER f13-7A-?n 1 1 D-.7 

FAILURE MODE ___Bnhhl ps in Prnnpllant 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
- ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HAROWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HAROWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HAROWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

3. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


YES 

0 NO 

□ 

*YES 

□ MO 

13 

YES 

0*«o 

□ 

YES 

□ - NO 

S 

*YES 

□ NO 

a 

*YES- 

□ NO 

a 

*YES 

□ NO 

a 

*0 □ *10. ; 

zD 

N/A OYESSiioQ 

YES 

QO*no 

□ 

YES 

□ *NQ 

0 


CHANGE / RETENTI ON RATIONALE SUMMARY 
NO H/S ISSUES 

2. 0 HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. Q RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS : 

1. "Failed off" thruster may illuminate if < 40 psi is sensed 3 times 80 milliseconds 
apart. 

5. Crossfeed. 

8b. Same as primary. 
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SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM IAFT - REACTION CONTROL 
ASSEMBLY sPRQPELLANT FEED 
91 N RI :MC2 32-0061-0001 »— 0C02 

P/N VENOORsa 5503310000-010,-020 
QUANTITY zb 


FMEA NO’ 03—2 A -211110-2 REV: 12/13/73 
ABORT: CRIT. FUKCs. 1 

CRHV HDw: 1 

MISSIONS: HF VF X F F OF SM 

PHASE(S): PL LC X GO X DO' LS 



:TfeQ PER 
: MODULE 

J 



REDUNDANCY SCREEN: 

PREPARED 

oes 

BY: 

R BEMIS 

APPROVED. BY: s 

des 

REL 

C M AKERS 


ITEM; TANK ASSY, PROPELLANT 

INCLUDING ACQUISITION OE'/ICE AND RETENTION SCREENS 
SAFETY) TK 203/204/303/304. 


A-N/A B-N/A C-N/A 

APPROVED BY |^4ASA$; 
SSM, _ 


W APPROVED 



WITH CHANGES 


See Section 13.0 
(1.5 FACTOR OF 


FUNCTION: 

TO STORE /SUP PLY PROPELLANT FQp, REACTION CTN'R CL THRUSTERS. ACQUISITION 
UEVICL RETAINS PROPELLANTS FOR ADEQUATE FEED DURING IV, 0 ,t G""'ANU- HIGH "G" 
CONDITIONS. REGULATED HELIUM IS SUPPLIED TO THE ULLAGE TO FORCE PROPELLANT TO THE 
THRUSTERS AS REQ’D. 245 PSIA (+ OR -15) (17.95 CUBIC FEET)..- ■ • 


FAILURE MODE: STRUCTURAL FAILURE (S) 

FAILS TO FEED’ PROPELLANT DUE TO RETENTION DEVICE FAILURE. GAS FUMBLES 
IM PROPELLANT.. 

CAUSE! S ) : 

FATIGUE, STRESS CGRRCS. CCNTAM, VIB,- HECH SHOCK, SCREEN COLLAPSE, 

FROZEN PROP, PROP SLOSH LOADS, FASTENING HnwRF FAILS 
EFFECT CS ) : ON ' (.A) SUBSYSTEM ( 3 ) INTERFACES ( C) MISSION (D ) CREW VEHICLE: 

U‘,-8) SUBSYSTEM' AND INTERFACE DEGRADATION - GAS BUBBLES l* PROP CAUSING 
_ REDUCED THRUST OR COMB IN STAB. _{ C) _ABDRT_DECISIQN. (DJ POSSIBLE LOSS 

CF "CREW VEHICLE - NASA STATES FAILUReTOF ACQUISITION DEVICE SCREENS COULD CAUSE PREMATURE 
GAS INJECTION INTO THE THRUSTER MANIFOLDS DURING ENTRY MANEUVERING. 

DISPOSITION i RATIONALE (A) DESIGN (B) TEST (C) INSPECTION- (D) FAILURE HISTORY: 

(A) SAFETY FACTORS OF 1.5 (MINIMUM) IN SCREEN WILL MINIMIZE FAILURE POTENTIAL. '(B) QUAL 
REQUIRES 200 EXPULSION CYCLES A 90 DAY PROPELLANT EXPOSURE TEST. DEVELOPMENT CERTIFICATION 
TESTS DEMONSTRATE 100 MISSION FLOW TRANSIENTS -(188,800 CYCLES) AND TWO YEAR PROPELLANT 
COMPATIBILITY. PROPELLANT ACQUISITION DEVICE AND WELD INTEGRITY VERIFIED VIA BUBBLE 
POINT TESTS AT THE COMPONENT, SUBASSEMBLY & TANK ASSY LEVEL. (C) AN IDENTIFICATION IS 
PERFORMED AND THE UNIT TAGGED. RAW MAT l L AND PURCHASED COMPONENT REQMTS ARE VERIFIED BY 
RECEIVING INSP. MEASUREMENT STANDARDS & TEST.EOUIP STANDARDS ARE IMPLEMENTED PER REQMTS 
OF MIL SPECS. THE FOLLOWING ITEMS ARE VERIFIED- BY- SHOP TRAVELER MANDATORY INSPECTION' 
POINTS-PARTS PROTECTION, MFG. PROCESSES, FINISHES, ASSY' AND THE ABOVE ITEMS AND THE 
FOLLOWING ITEMS WERE VERIFIED BY AUDIT CONDUCTED 11-1-76. CORROSION PROTECTION PROVISIONS, 
TEST HANDLING, AND STORAGE ENVIRONMENTS. BOTH CERTIFIED WELDERS AND CERTIFIED INSPECTORS 
ARE USED FOR ALL WELDS. TURNAROUND - BUBBLE POINT TESTS ARE PERIODICALLY PERFORMED IN 
THE SYSTEM AS PART OF CHECKOUT PROCEDURE PRIOR TO FLIGHT. PRESSURE CYCLES. ACCUMULATED 
ARE ALSO RECORDED, (D) NO IN-FLIGHT FAILURE EXPERIENCE FOR THIS DESIGN. 
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6 . 


7. 


8 . 


SUBSYSTEM AFT - RCS 
'.ITEM Gjmbal Joint 


HARDWARE/SOFTWARE ANALYSIS- CHECKLIST SDZ2-SH-0103-2 
FMEA HUMBER Q3_-2A-Z1112Q^1 


FAILURE KQOE FxHprnal I pakagp 


T. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE {i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES 

0 

NO 

□ 

la. 

IF NOT,, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

*Y£S 

□ 

NO 

P 

2. 

ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATIOfl OF 
IN-FLIGHT DETECTABILITY? 

YES 

□ + N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS -OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 


NO' 

□ 

3a. 

IF NOT, -DOES THE CAPABILITY- EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE, ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)?' 

*YES 

m 

NO 

□ 

4- 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

*YES 

□ 

NO 

0 

5. 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 

*YES 

□ 

NO 

0 


OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES' CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND- HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIOED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 


IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 
*EXPLANATIQN REQUIRED (SEE BELOW) 


*o □ *ifH zO 

M/A □YES[X]N0Q 


YES 0*!!O □ 

YES d*NO □ 


i CHANGE/ RETENTION RATIONALE SUMMARY 
T.Q Kfl H/S ISSUES 

2. □ HARDWARE ACCEPTS- RISK 


3. □ NO SOFTWARE DETECTION- 

4. [X3 DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE 8EL0W 

6. □ RECOMMENDED CHANGES BELOW 


In-flight detectability 
0 FMEA CHANGE RECOMMENDED' 

EXPLANATION/COHHENTS: 

1. Gross leak detection gives first indication. 

2. Fuel tank outlet pressure measurements V42P2310, 3310 were omitted from- the 
FMEA and need to be added. 

3A. Low pressure transducer signals could be used by software to isolate the system 
automatically if desired. 

6. There is one success path remaining after first failure. Cross-feed. 

8B. Same as primary. 
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OF POOR OUALitY 



SHUTTLE CRITICAL ITEMS LIST - CP-6 ITS? L02 


SUBSYSTEM ; AFT - REACTION CONTROL 

ASSEM8LY : PROPELLANT FEED 

P/N R I :73P550015-L01SIQ2 CMOAC) 

■ P/N VENDORS I CO 3099— 10 1 6102 (SSPJ. 

■ QUANTITY s 12 

S3 PER PROP TANK 


FMEA NO 03-2A —211 120—1 REVill/Qa/Tc 
ABORT i CP IT. FL'NCs L 

CRIT. Hews I 

MISSIONS: hF VF X FF OF SM 
PHASEtS): PL X L3 X CO X 'DO X LS X 


PREPARED BY: 

OES , H GLAVINICH 

PEL ‘ CM AKERS 


ITEM: CONNECTOR 

FLEXIBLE, GIMBAL JOINT. 
FUNCTIONS 


i 


REDUNDANCY SCREEN: A-N/A R— M/A C-N/A 


APPROVED BY: 
OES UfL 

R6L ~<L 




APPROVED 3YMNASA,) 
3SM JbfcJL-C: 


. 


APPROVED WITH CHANGES 
See Section 13.0 


AN EXTERNALLY CONSTRAINED FELLOWS (UNIVERSAL SOCKET JOINT ASS’Y) IS 
PRO V DED FOP THE PROPELLANT TANK CUTLET LIMES TO ALLS* MOVEMENT DUPING 
PRESSURE SURGES- CONNECTING T'jaES ARE WEL JEO t G r HE 3SLLCwS AN Q TO THE 
PROP LINES. 

FAILURE MODE: STRUCTURAL FAILURE IS) 

EXTERNAL LEAKAGE. 

CAUSE(S): 

FATIGUE. SHOCK, HANDLING I.MAOEO WELD P=N=T„ I'.CCMP FUSION, POPCSITY, 
CORROS RESULTING IN PIN HCL c LEAK- THRU CCN'/QLuTE, PROP £ 3 t-P^LP 
EXPOSURE o'? ESS SURGE-, FLOW INDUCED VI8-POGC £FFEC' r , FLT VI2. 

EFFECT IS): ON { AJ SU33YSTSM { 8 ) INTERFACES (CJMISSICM (01 CF.=*/VEH ICL£: 

, (A) SUBSYSTEM DEGRADATION - LOSS OF °PUP5LLANT. (8) DEGF ADA r I CM OF 

INTERFACE FUNCTION - POSS CGRROS DAMAGE WITHIN POO AMD ADVERSE EFFECT 
ON TPS (MOLECULAR VENTING). (C) LAUNCH DELAY CP A30F T DECISION. ' (0) 
POSSIBLE LOSS OF CREW/VEHICLE - IF BELLOWS JOINT- RUPTURES RESULTING IN 
INABILITY TO UT IUTZ E/OEPLETE PROP OR PROP REACTS WITH FUEL OR GX 
CAUSING FIRE OR EXPLOSION. 

DISPOSITION £ RATIONALE (A)OESIGN IB) TEST (C) INSPECT lON IDlFAILUP.c HISTORY: 
(A) MULTIPLE BELLOWS ARE UTILIZED. FLCW INGUCED VIBRATION ANALYSIS 
AND STRESS ANALYSIS ARE CONDUCTED TO VERIFY ACCEPTABLE DESIGN. THE 

• EXTERNAL CONSTRAINT (UNIVERSAL SOCKET JOINT ASS'Yl WOULD TEND TO 
LIMIT ANY’ GROSS PROPELLANT LEAK IN EVENT OF BELLOWS FAILURE. 

ITEM LS USED DURING SYSTEM EVALUATION TESTS AT WSTF ALLOWING 
EVALUATION UNDER SIMULATED MISSION USAGE CONDITION. (C) A VISUAL 
INSP AND IDENTIFICATION IS PERFORMED AND THE UNIT TAGGED. CON- 
TAMINATION CONTROL PROCESS, CORRQS. PROTECTION PROVISIONS, NOE 
EXAM OF WELDS* INSP FOR SURFACE AND SUBSURFACE DEFECTS » PAW 
MAT 1 L (LOT) CERTIFICATION, PARTS PROTECTION, COATING AND PLATING 
PROCESSES ARE VERIFIED BY INSPECTION. MANUF, INSTALLATION, AMD ASSY 
OPERATIONS ARE VERIIED SY SHOP TRAVELER MANDATORY, INSP POINTS. THE 
ABOVE ITEMS AND THE FOLLOWING ITEMS WERE VERIFIED BY AUDIT CONDUCTED 
S-Z9-T7. CONTAMINATION CONTROL PLAN, PROPERLY MONITORED H4NCLING AMD 
STORAGE ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS AND EQUIP AND MAT* L 
CONFORMANCE TO CONTRACT . REQMTS. TURNAROUND - MONITOR LEAKAGE TESTS 
PERFORMED AFT5R INSTALLATION INTO THE SYSTEM AND AS PART OF CHECKGUT 
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SHUTTLE CRITICAL ITEMS LIST - CRB ITER 102- 


SU8SYSTEM :AFT - REACTION CONTROL - FMEA NO 03-2A -2I1I20-1 REV: 11/08 /7S 
-PROCEDURE PRIOR TO FLIGHT. (0) NO FAILURE HISTORY A VILAELE ALThQUGH THE 
APOLLO PROGRAM 010 SHOW SOME PROBLEMS CN FLEX HOSE ASSY CUE TO PIN HOLE 
CORROSION ASSOC. WITH RESIDUAL SOLVENTS AND PROPELLANT. 
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• HARDWARE/SOFTWARE ANALYSIS- CHECKLIST SD72-SH-01 03-2 

SUBSYSTEM flFT-RCS FMEA NUMBER 03-2A-221 308-1 

ITEM Bellows Assy, ; FAILURE MODE External Leakage 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
- ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE. FLIGHT SOFTWARE .COULD 
USE TO DETECT THE FAILURE? - 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC) 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS' A RESULT OF THIS FAILURE MOOE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? * • 

5. CAN THIS FAILURE MOOE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY -AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE 8FS BE ENGAGED AFTER OCCURRENCE? 

3. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


3. P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

4. EJ DETECTION DURING CHECKOUT 6. O. RECOMMENDED CHANGES BELOW 

I 

J 

i 


In-flight detectability 
[I] FMEA CHANGE RECOMMENDED 

EXPLAHATIOfl/COMMEHTS : ' ” ] 


1. Gross leak detection gives first indication. 


CHANGE/RETENTION RATIONALE SUMMARY 

1. Q NO H/S ISSUES 

2. □ HARDWARE ACCEPTS RISK 
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SHUTTLE CRITICAL ITEMS LIST - GRo ITER 1Q2 


SUBSYSTEM ;AFT - REACTION CONTROL 


FHEA NO Q3-2A -221308-1 


RSVillVOa/75 


ASSEMBLY : THRUSTER/ PROPELLANT FEED ABORT : 

. P/N RI :MC621— 0059 

. P/M VENQGR:73P 5500 C3- 1001 THRU IOC 5 MISSIONS ; 

QUANTITY :56 PHASE t S) : 

SONE FUEL AND ONE CXIDIZ. 

APER THRUSTER $ PR I £ VSRNJ 


CP IT. FUNC: 1 

CRIT. HDH: l 

HF VF X FF OF SM 
PL X LQ X CC X 00 X LS X 


! 


REDUNDANCY SCREEN: A-fJ/ 1 8-N/A C— N/4 


PREPARED BY: ■ 

iDES N GLAVINICH 

REL * C. M AKERS 


ITEM: BELLOWS ASSEM., 
ENGINE ALIGNMENT. 
FUNCTION: 



APPROVER 8Y/>MAS4j: // 

SSM . 

- J fiPPROVED WITH CHANGES 
~ See Section 13.0 


A STAINLESS STEEL EXTERNALLY (CYLINDER) CONSTRAINED BELLOW 
TU3E END CONNECTIONS IS PROVIDED AS A MEANS CF CONNECTING 
THE THRUSTER VALVES tq THE PROPELLANT SYSTEM. 


3 WITH RIGID 
ANC ALIGNING 


FAILURE MOOS: STRUCTURAL FAILURE { S J 

- EXTERNAL LEAKAGE. 

CAUSE(S): 

FATIGUE. SHOCK, HANDLING, I.SAOEQ WELD PENE"", INCO^P FUSION, POROSITY, 
CORROS-PROP £ 81 -PROP EXPOSURE, PRESS SURGE', FLGW INDUCED Vtb-POCQ 
EFFECT, FLT Via. 


-EFFECT ( S ) : ON (A) SUBSYSTEM lo ) INTERFACES (OMISSION {0 ) CRFW/VEH IDLE: 

(A) SUBSYSTEM DEGRADATION - LOSS OF PROPELLANT, (8) DEGR AOA~ I ON OF 
INTERFACE FUNCTION - PUSS CORROS DAMAGE WITHIN POD AND ACVEPSS EFFECT 
ON TPS {MOLECULAR VENTING). (C) LAUNCH DELAY OR 430FT DECISION. (D) 

, POSSIBLE LOSS OF CREW/VEHICLE - FAILURE NGT GET ECT ABLE SINCE PVT 
MEASUREMENTS HAVE BEEN DELETED FROM SOFTWARE FOR ASCENT AND RTLS. 
{ISOLATION IS POSSIBLE DUPING OTHER MISSION PHASES). 

.DISPOSITION £ RATIONALE {A ) DESIGN C 3 } TEST (C ) INSPECT IJN (D)FAILURE HISTORY: 
(A) MULTIPLE 3ELLGWS ARE UTILIZED. FL.OW INDUCED VI3RATI0N ANALYSIS AND 
STRESS ANALYSIS WERE CONOUCTED TO VERIFY ACCEPTABLE DESIGN. THE 
EXTERNAL CONSTRAINT WOULD TEND TO LIMIT ANY GROSS PROPELLANT LEAK IN 
EVENT OF BELLOWS FAILURE. PROPELLANT LEAK FROM LINE TO THRUSTER COULD 
8E ISOLATED 8Y MANIFOLD VALVE. (8) ITEM IS USED DURING SYSTEM 
EVALUATION TESTS AT WSTF ALLOWING EVALUATION UNDER SIMULATED MISSION 
USAGE CONDITION. (C5 A VISUAL IN$P AND IDENTIFICATION IS PERFORMED AND 
THE UNIT TAGGED. CONTAMINATION CONTROL PROCESS,- CCRROS. PROTECTION 
PROVISIONS, NOE EXAM OF WELDS, INS? FOR SURFACE AND SU33URFAC5 DEFECTS, 
RAW- MAT 1 L (LOT) CERTIFICATION,. PARTS PROTECTION, COATING AND PLATING 
PROCESSES ARE VERIFIED BY INSPECTION. MANUF, INS T ALLATICN , AND ASSY 
OPERATIONS ARE' VERIFIED 8Y SHOP TRAVELER MANQATCRY INS? POINTS. THE 
ABOVE ITEMS ANO THE FOLLOWING ITEMS WERE VERIFIED 3Y AUDIT CO.NQUCTEO 
3-29-77. CONTAMINATION CONTROL PLAN,- PROPERLY MONITORED HANDLING AND 
STORAGE ENVIRONMENT. SPECIAL MEASUREMENT STANDARDS ANO SCUIP AND MAT *L 
CONFORMANCE TO CONTRACT REQ.TTS. TURNAROUND - MONITOR LEAKAGE TESTS 
PERFORMED AFTER INSTALLATION . INTO THE SYSTEM ANO AS PART CF CHECKOUT 

,PRGC-EDUR£._PRIOR TO FLIGHT . " ( 0) NO FAILURE HISTORY 'AVAILABLE ALTHOUGH 

THE APOLLO PROGRAM O’lD SHOW SOME PROBLEMS O'N 'FLEX HOSE ASSY OUE~'TO PIN 1 

HOLE CORROSION ASSOC. WITH RESI DUAL > SOLVENTS ANO PROPELLANT. 
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SUBSYSTEM AFT - RC$ 
•.ITEM Injection Plate 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 

FMEA NUMBER 03-2A-22T 31 1 -T 


FAILURE MODE Restricted Flow 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 


IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIOEQ 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRtCTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

.A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

3. WILL 8FS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

‘EXPLANATION REQUIRED (SEE BELOW) 


YES 

m 

NO 

□ 

*YES 

□ 

NO 

P 

YES 


*N0 

0 

YES 

l 


NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

0 

*° D 


20 

N/A □ YES [X] III 

!>□ 

YES 

0- 

*t:o 

□ 

YES 

B 

*NQ 

□ 


CHANGE/ RETENTION RATIONALE SUMMARY 

1 , □ NO H/S ISSUES 

2. 0 HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. C3 DETECTION DURING CHECKOUT 


5. - □ ACCEPTANCE RATIONALE BELOW 

6. P RECOMMENDED CHANGES BELOW 


In-Flight Detectability 

0FMEA CHANGE RECOMMENDED 


EXPLAHATION/COHMENTS : 

1. "Failed off" thruster C&W. 
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SHUTTLE CRITICAL ITEMS LIST - GR3ITER L02 


SU8SYSTEK :AFT - REACTION CONTROL FMEA MG 03-2A - 

ASSEMBLY iTBRUSTER » PRIMARY ABORT J 

P/N RI. :MCA67-002B 

P/M VENOOR:X33S38 MISSIONS: Hr 

QUANTITY :24 PHAS5(S)t PL - 

SOME INJECTOR PROVIDED FC 
:R EACH PRIMARY THRUSTER 


PREPARED 8Y: 
>0ES 
REL 


REDUNDANCY SCREEN- 


APPROVES? BY * 

DES 

REL 


'/•V7?' 


ITEM; INJECTOR. PLATE 


221 31 L-L PEV: 1 1/C EFTS 
CPIT. FUNC: 2' 

CR IT. HO'*: 3 

VF X FF OF SM 
LG X CO X 00 X LS 


A— PASS B-F AIL C--ASS 



DELETE 

See Section 13,0 


FUNCTION; 

PRGVIDES INJECTION £ VAPOR I ZAT ION OF FUEL AM C OXIDIZER FPCM THRUSTER 
INLET VALVES AND PROVIDES 0CU3LET MIXING AT 1.60 GX TC FUEL RATIO FOR A 
HYPERGCLIC REACTION *hICH PRODUCES 325 POUNDS OF r HRUST AT 70.000 FEET, 
ALSO CONTROL CHAMBER WALL CGCUNG. THE INJECTOR IS CONSTRUCTED OF C-1C3 
COLUMBIUH & WELDED TG THE CCM3 CHAM3. ACOUSTIC CAVITIES- APE Ll'C A T ED AT 
THE OUTER PERIPHERY Cr THE INJ FACE TC PREVENT HIGH F^EO CCM5 
INST AS* 

FAILURE MODE: FAILS OUT QJ= TOLERANCE' IF) 

. AT RESTRICTED FLOW. 

CAUSE! S ) : 

CONTAMINATION^ PRODUCTS CF COMBUSTION' BLOCKING ORIFICES, FREEZING GF 
PROPELLANTS* 

EFFECT { S ) : ON ( A ) SUBSYSTEM 13 ) INTERFACES (C) USSICN (OlCPEW/vEBICLS: 

(A) LOSS OF REDUNDANCY CR UNCTfCNAL DEGRADATION - REDUCED PP.np 
FLOW-CHAM- PRESS £ THRUST, IMAGED CHAM/INJ FILM COOLING. (31 
DEGRADATION OF INTERFACE FU.'iCT ION-INC 0 GN£C £ USE GF ALT THRUSTERS (Cl 
NO EFFECT. (DJ NQ EFFECT. ( E) FUNCTIONAL CRITICALITY EFFEC" - A5G~T 
DECISION - OEGRAD 31 PERFORMANCE OF REDUNDANT THRUSTERS WOULD' REQUIRE 
MISSION ABORT . 

DISPOSITION £ RATIONALE UIDESIGN ( 8 1 TEST ( C ) INSPECT QN ( 0 ) FAILURE HISTC= V : 
. 7A. MICRON NOMINAL FILLERS ARE PROVIDED T 0 CONTROL CO NT AM INAT IPN FROM SYS ' 

AND SUBSEQUENT HAZARD.. AUTOMATIC SWITCH OVER (AND ISOLATION) ,SY GN£C 
FAILURE DETECTION SYS. COMPLETE THERMAL AND STRESS ANALYSIS HAVE SEEN 
COMPLETED. (Bl RCS SYS EVAL TEST AT WSTF. THRUSTER QUAL FOR 50,000 
CYCLES. SPRAY PATTERN CHECKED DURING ATP. (Cl A. VISUAL INSP AND 
IDENTIFICATION IS PERFORMED ANQ THE UNIT TAGGED. CDNTAMIN ATI GN CONTROL 
PROCESS* CQRRQS . PROTECTION PROVISIONS* NOE EXAM OF WELDS, RAW MAT * L 
l LOT) CERTIFICATION, PARTS PROTECTION, COATING AND °LAT IMG PROCESSES A-E 
VERIFIED BY .INSPECTION. M.ANUF, INSTALLATION, AND ASSY QPERATCNS ARE 
VERIFIED BY SHQF TRAVELER M AND A TCP Y INSP POINTS. .THE ABCVS ITEMS AND 
THE FOLLOWING ITEMS WERE VERIFIED BY AUDIT CCN DUCTED 9-2-76. 
CONTAMINATION CONTROL PLAN, PROPERLY MCN ITDRED HANDLING ANO STCRAGE 
ENVIRONMENT. SPECIAL MEASUREMENT STANDARDS AND EQUIP AND M AT T L- ANO EQUIP 
CONFORMANCE TO CONTRACT REQMTS. TURNAROUND INSPECTION TO INCLUDE USE “ 
OPTICS WHERE ACCESS I3LE TO DETERMINE EVIDENCE OF PLUGGED ORIFICE. FLUID 

"SAMPLING TO BE P ERFORM EO~fO D ETECf~CONTA M t NAT IQ nL { b"f“N G" o I R EC T FATL'J= = 
HISTORY AVAILABLE. 

Tn 

1024 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 

SUBSYSTEM AFT - RCS FMEA HUMBER 03-2A-221 .31 2-1 

ITEM Thrust Chamhpr FAILURE MODE Burn-Thru 

1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA. EVALUATION OF YES Q‘*NO 0 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES O HO Q 

(EITHER BV COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES (XJ NO □ 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES Q NO 0 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES Q NO EJ 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 □ *10 2[x] 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A nYES[X[;ion 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

4. □ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


QFMEA CHANGE RECOMMENOEO 



1. "Failed off" thruster C&W. 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.1Z3 NO H/S ISSUES 

2. Q HARDWARE ACCEPTS RISK 


YES □ 

YES 0*No" □ 


YES. Q NO 0 
*YES 0 NO Q 
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SHUTTLE CRITICAL ITEMS LIST - GR3I7ER 1Q2 


SUBSYSTEM : AFT - REACTION CONTROL 
ASSEMBLY : THRUSTER, PRIMARY 
,P/N RI :MC467-0023 
P/N VENDG R:X309SS 
.QUANTITY : 24 

: ONE PER THRUSTER 


FMEA NC 03— 2 A -221312-1 REVU1/08/7 

ABORT: CP IT. F1JMCS 1 

CRIT. HDW: 1 

MISSIONS: HF VF X FF OF SM 

PHASECS): ?L LO X DC X DO X LS 


PREPAREO SYs 

OES 

.REL 


w SEARCY 
C M AKERS 



j REDUNDANCY SCRE 

APPROVE^ by: f 

0 £“ 

REL 


ITEM: THRUST CHAMBER 

FROM INJECTOR TO NOZZLE EXTENSION {COATED CCLU M 
FUNCTION: 


5Ns 4-N/A 3-M/A 



. r * 

Q pproved with changes 

See Section 13.0 


6 I AN) . 


TO CONTAIN HYPERGOLIC PEAC'IO.N OF PROPELLANTS AND DIRECT Ca-IPUSTIDN 


PRODUCTS THROUGH NOZZLE S EXTENSION TO PROVIDE IMPULSE TC VEHICLE. THE 
CHA.MB IS CONSTRUCTED CF C-103 CCLUMBIUH WITH P-512 A CX IDA” ION 
RESISTANT COATING AND UTILIZES FILM CODLING. THE CHAM8 PPESS IS 152 
PSI L IS DESIGNED TO PRODUCE a THRUST CF B70 -L3S VACUUM AT A NOMINAL 
STEADY STATE SPECIFIC IMPULSE CF 2SO SECONDS. 

FAILURE MODE: STRUCTURAL FAILURE (Si 

BURN THRU CR . RUPTURE IN CHAMBER. 

CAUSEIS): 


THERMAL CYCLINS/STRSSS FATIGUE* VIS, C n *B INST A 3 , SHOCK. SLOCKED INJ 
ORIFICES, HIGH TEM 0 / LOCAL I ZED HCT 5PQT5/IMADEQ CODLING NCZZLE 
RESTRICTION. 

EFFECT ( S ] : ON ( A 3 SUBSYSTEM (3)1 NTERF ACES (OMISSION (-D) CREW/ VEHICLE: 

{A ) LOSS OF REDUMOANCY-PGSS LOSS OF 3 THRUSTERS I c M * FOLD ISCiL- VALVE 
MUST BE CLOSED. (3) DEGRADATION OF IUTS D FAC£ FUNCTION— INCR GNLC l USE 
‘OF ALT THRUSTERS { Cl MISSION MODI F ICA T ION/ ABORT DECISION IF FAILURE 
CAUSES DAMAGE PROPAGATION. (0) POSSIBLE LOSS OF CF.EW/VEHICLE BURN- 
THRU MAY CAUSE HIGH TEMP OA MAGE TO SURR STRUCT u ADJ THRUSTERS 
RESULTING IN POSS ENTRY HAZ IF TPS IS DAMAGED. 

DISPOSITION £ RATIONALE ( A ) DESIGN ( 3) TEST (C ) INSPECTION { D 3 F A ILUR E HISTORY: 
(A) STRUCTURAL MARGINS ( 2.0 TC 4 . 0 } MINIMIZE FAILURE EFFECTS ). ENG 
DESIGNED TO INGEST UP TO 45 CU- IN. OF GAS. C S 3 RCS SYS EVAL TEST AT 
WSTF. THRUSTER QUAL FOR 50,000 CYCLES. (C) A VISUAL INS?. AND 
IDENTIFICATION IS PERFORMED AND THE UNIT TAGGED. CONTAMINATION CONTROL 
PROCESS, CORROS. PROTECTION PROVISIONS, NOE EXAM OF WELDS, RAW MAT * L 
(LOT) CERTIFICATION, PARTS PROTECTION, COATING AND PLATING PROCESSES ARE 
VERIFIED BY INSPECTION. MANUF, INSTALLATION, AND ASSY OPERATIONS ARE 
VERIFIED BY SHOP TRAVELER MANDATORY INSP POINTS. THE ABOVE ITEMS AND 
THE FOLLOWING ITEMS WERE VERIFIED BY AUDIT CONDUCTED 9 - 2 - 76 . 
CONTAMINATION CONTROL PLAN, PROPERLY MONITORED HANDLING AND STORAGE 
ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS AND EQUIP AMD MATL AND EQUIP 
CONFORMANCE TO CONTRACT R EQ MTS. TURNAROUND INSPECTION TC INCLUDE USE OF 
OPTICS WHERE ACCESSIBLE TO DETERMINE EVIDENCE OF PLUGGED ORIFICE. FLUID 
SAMPLING TQ BE PERFORMED TO OETECT CONTAMINATION. (D) NO DIRECT FAILURE 
HISTORY AVAILABLE. 
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shuttle critical items list 


CR3ITER 102 


SUBSYSTEM : AFT - REACTION CONTROL 
ASSEMBLY : THRUSTS 0 , PRIMARY 
, P/N RI : M C467— 0028 
>P/N VEN0GR:X3Q872 
QUANTITY :24 

:QNE per thruster 


FMEA NO 03-2A. -221313-1 REV: Ll/08/76 
ABORT: CRIT- PUNC: L 

CR IT . HDU « i 

MISSIONS: HF VF X FF OF SM 

PHASEtS): PL LO X. CO X DG.X LS 


REDUNDANCY SCREEN: A-M/A 5-N/A C-M/A 


PREPARED BY: 

.DES 

RSL 


te. SEARCY 
C M AKERS 


# 


\ 

APPROVE; 

oes 

REL 


m 



.ITEM: NOZZLE EXTENSION, 

COATED C0LU.M3IUM {WITH INSULATION BLANKET]. 



FUNCTION: 

TC PROVIDE ISEN TROPHIC EXPANSION Dr COMBUSTION GASES FCR MAX EFF IN 
• VACUUM. NOZ EXT IS CONSTRUCTED GF C-LG3 CCLU^tlL’M WITH P-512A OXIDATION 
RESISTANT COATING. THE NOZZLE EXPANSION RATIO FS 22 T C U T HS flOZ EXT 
IS XNTEGR-AL WITH THE CGMS C’H A- M 9 a.NO ENCLOSED IN A DY MA FLEX IN SUL 
SHROUO SO THAT THE EXT TEMP IS MAINTAINED PER THE PROCUREMENT 
SPECIFICATION REQM'T. 

FAILURE MOOS : STRUCTURAL FAILURE* (S) 


BURN— THRU. 

CAUS£{ S ) : 

HIGH' TEMPERATURE IN LOCAL SPOT CCNTAMI-h ATEO INJECTOR C^Gl AMT HOLES ‘*=LD 
CR MAT 1 L DEFECT'.. 

.EFFECT! Sir. ON -(A) SUBSYSTEM (3 MNTERFACES (OMISSION (0) CP. EV/VEH ICLE: 

(.A) LOSS OF REDUNDANCY— P CSS' LOSS OF 3 THRUSTERS IF Y’FCLD ISGL VALVE . 
MUST 8£ CLOSED., t B J DEGRADATION' OF INTERFACE FUNCT ION-INCR 3N6C £ USE 
QF ALT THRUSTERS. BURN— THRU MAY CAUSE HIGH TEMP DAM TO SURE STRUCT, 


TPS, Z AOJ THRUSTERS (Cl MISSION- MODIFICATION/ ABORT DECISION IF 
FAILURE CAUSES DAMAGE PROPAGATION. (Q) LOSS CF CPEW/VEH ICLE— BURN- 
THRU MAY CAUSE HIGH TEMP DAMAGE TO SURR STRUCT Z ADJ STRUCTURES 
RESULTING IN POSS ENTRY HAZ IF TPS IS DA.MAGCC 
DISPOSITION Z RATIONALE { A ) DESIGN ■( 8}TES T (C ) INSPECTION C D ) FAILURE HISTORY: 
(AJ HIGH THERMAL MARGINS IN NOZZLE EXTENSION. AND HIGH COOLING MARGIN 
WILL MINIMIZE FAILURE EFFECT. ENG DESIGNED 

TO INGEST 45 CU. IN. OF GAS . THRUSTER CAN 5E ISOLATED AT INLET 
OR MANIFOLD VALVE. (ST RCS SYS.EVAL TEST AT WS-TF. THRUSTER- DUAL FOR 
50,000 CYCLES. IC) A VISUAL INSP AND IDENTIFICATION IS PERFORMED AMD 
THE UNIT TAGGED* CONTAMINATION CONTROL PROCESS, CORRGS. PROTECTION 
PROVISIONS. NOE EXAM OF WELDS . ‘ RAW- MAT 1 L {LOTT CERTIFICATION, PARTS 
PROTECTION* COATING A NO PLATING PROCESSES ARE VERIFIED 3Y INSPECTION. 
MANUF* INSTALLATION, AND ASSY OPERATIONS - AE VERIFIED BY SHOP TRAVELER 
MANOATORY INSP POINTS. THE A8CVE ITEMS AND THE FOLLOWING ITEMS WERE 
VERIFIED SY AUDIT CONDUCTED 9-2-76. CONTAMINATION CONTROL PLAN, 

PROPERLY MONITORED HANDLING AND STORAGE ENVIRONMENT, SPECIAL MEASUREMENT 
STANDARDS AND EQUIP AND MAT r L AND EQUIP CONFORMANCE TC CONTRACT REGMTS. 
TURNAROUND INSPECTION TO INCLUDE USE OF OPTICS WHERE ACCESSIBLE TQ 
DETERM INE EVIDENCE OF BURN-THRU. ID] NO DIRECT FAILURE HISTORY 
AVAILABLE- 
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SUBSYSTEM AFT - RCS 
ITEM 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-01 03-2 

FMEA NUMBER 03-2A-231 31 0-1 


Vernier Thruster 


failure MODE Loss of Output 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO OETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS T AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC}? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER I OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES 

0 

NO 

□ 

*YES 

0 

NO 

P 

YES 

0 

*N0 

□ 

YES 

0 

NO 

□ 

*YES 

□ 

NO 

□ 

i 

*YES 

□ 

NO 

0 

*YES 

n 

NO 

nr 

*o [T 

1 *i0 ; 

zP 


N/A CJYESQnoQ 


YES (Xj*NO □ 
YES 00*NQ □ 


CHANGE/ RETENTION RATIONALE SUMMARY 
NO H/S ISSUES 

2.Q0 HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



3. Down modes to free drift. 

6.. No redundancy in the verniers. 
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SHUTTLE CRITICAL ITEMS LIST - OBITER L02 


SUSSYS7EM :AFT - REACTION CONTROL 
ASSEMBLY : VERNIER THRUST £R 
P/N RI SMCA-67 -QQZ9 . 

P/N VENDORS 
QUANTITY . . 

: 2 PER- PGD 
s.i P ITCH, i YAW 


FMEA NO 03- 2 A -231310-1 REV : 1 1/0 8/73 

ABORT: CP. IT* FUNC: 2 

CRIT. KDW: 2 

MISSIONS: HF VF X FF Or SM 

PHASEIS): PL LQ CO X DO LS ■ 


PREPARED BY: 

DSS 

PEL 


J' TAGGART 
C M AKERS 



ITEM: THRUSTER, ASSY, VERNIER 

25 PGUND THRUST LEVEL * EM 357/353/257/258. 
FUNCT ION: 


A— P ASS R-PASS C-FAIL 

APPROVED aVL/frlAS^ 

S5. M 



APPROVED WITH CHANGES 
See Section "13.0 



CNc PITCH <2 AXIS-UP FIRING) AMD ONE YAW I PLUS /MINUS Y AXIS) VERNIER 
THRUSTER ARE PROVIDED IN EACH ARCS MODULE TC PROVIDE P-ECISE LOW LEVEL 
PULSING AND ATTITUDE HOLD REQ'D EOF PAYLCAO MINTING. T H EY APE - - 
CONCEPTUALLY SIMILAR TC THE PSIM4PY THRUSTER BUT LIMIT PLUME 
IMPINGEMENT AND PROP RESIDUE CCNTAM TO r HE PAYLOAD. 

FAILURE MQOE: LOSS OF CUT°UT (THR UST 3 (F) 

INLET VALVES CLOSED DR I‘1J ORIFICE PLUGGED. 

CAUSEIS ) : 

OPEN SOL COIL, AUTO SHiJT-CWJ, INLET VLV LEAK /STRUCT FAIL, IMJ 
CONTAM/RES IOUE OR FROZEN PROP BLOCKING ORIFICE, CQ y 3 CHAVNuI STRUCT 
FAIL. 

EFFECT! S ) : ON (A)SUSSYSTEM { 3 3 INTERFACES (CJwi«S[f*N { J) CREW /VEHICLE: 

(A). LOSS -OF FUNCTION (VERNIER THRUSTERS 5-CURRENTLY LOSS OF SINGLE 
VERNIER THRUSTER CAUSES LOSS (SHUTDOWN) OF VERNIER CONTROL. ( BJ NC 
EFFECT. (C) MISSION MODIFICATION OR A30RT TEC ISI CM (POTENTIAL 
INABILITY TO RETRIEVE PAYLCAO). - IT IS POSSIBLE PAYLOAD COULD 3E 
RETRIEVED WHILE IN FREE DRIFT MC06 AND IN SOME INSTANCES PAYLOAD MAY 
HAVE ATTITUDE & TRANSLATION CCNTRCL. IT MAY EE POSSIBLE T C us? FWO Z. AFT 
PCS (X AXIS) ENGINES FOR PITCH (DOWNWARD) MOTION. (0) NC EFFECT. 

DISPOSITION £ RATIONALE (A)OESIGN (9)ThsT { C ) INSPECT ION (O)FAILURE HISTORY: 
(A) PGSS REDUND MOOES IN X AXIS PRIMARY THRUSTE 9 * PAYLOAD ATTITUDE 
CONTROL £ FREE DRIFT MODES. 100 MICRON F ILTFATION £ HEATERS PROVID'D TO 
LIMIT CONTAM £ PREVENT PROP FREEZING- (3) ThRUS~ER CU4L FOR 500,000 
CYCLES, 125,000 SEC BURN TIME,. INLET VALVE TESTED FOR 500,000 WET CYCLES 
£ 500Q DRY. (C) A VISUAL IMS? A‘NO IDENTIF IC ATIGN IS PERFORMED AND THE 
UNIT TAGGED. CONTAMINATION CCMTRGL PROCESS,- CQRRQS. PROTECTION 
PROVISIONS, NOE EXAM OF WELDS , RAW -MAT 'L (LOT) CERTIFICATION, PARTS 
PROTECTION, COATING ANO PLATING PROCESSES ARE VERIFIED BY INSPECTION. 
MANUFr INSTALLATION. ANO ASSY OPERATIONS ARE’ VERIFIED BY SHOP TRAVELER 
MANDATORY INSP POINTS. THE ABOVE ITEMS AND THE FOLLOWING ITEMS WERE 
VERIFIED BY AUDIT CONDUCTED 9-2-76.- CONTAMINATION CONTROL PLAN, 

PROPERLY MONITORED HANDLING AND STORAGE ENVIRONMENT, SPECIAL MEASUREMENT 
STANDARDS ANO EQUIP AND MAT ' L AND EQUIP CONFORMANCE TO CONTRACT 'REQHTS- 
TURNARGUNO - VISUAL INSP USING OPTICAL INSTRUMENTATION. SYSTEM FLUIDS 
ARE ANALYSED FOR EVIDENCE. QF CONTAMINATION. PROPER INLET VALVE FUNCTION 

■ ANO ELECTRICAL LOGIC POWER IS VERIFIED^ IbTwfDlReCT FA I LURE" HISTORY 
AVAILA8LS- 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 
SUBSYSTEM AFT- RCS FMEA NUMBER Q3-2A-231 31 0-2 

ITEM Vpynigy T h r"cto r FAILURE mode Fails to Stop Firing 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

YES 

m 

NO 

□ 

la. 

IF HOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

♦YES 

s 

NO 

P 

2. 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA -EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

0 *N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMflANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

□ 

NO 

0 


3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS - 
FAILURE MODE (EITHER BY- COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? * - 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AMD THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3.p NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. O HARDWARE ACCEPTS RISK 4. Q DETECTION DURING CHECKOUT 6 . (!3 RECOMMENDED CHANGES BELOW 


*YES (_} NO [X] 

♦YES □ NO 0 
♦YES □ NO 0 
*0 [X] *lQ 20 
M/A □YES0HO0 

YES (X)*NO □ 
YES (X]*NO Q 


QFMEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS : 

1. "Failed on" thruster C&W. 

6. No redundancy in the verniers. 
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SHUTTLE CRITICAL ITEMS LIST 


CR3I7ER 102 


SUBSYSTEM : AFT - REACTION CONTROL 
ASSEMBLY : VERNIER THRUSTER 
P/N RI : MC467— 0025 

P/N VENDOR: 

QUANTITY :*> 


FMEA NC 
ABORT: 


MISSIONS: 
PHASE! S 1 : 


03-2A -231310-2 REV: Ll/03/7? 

CP IT. FUNC: 2 

CR1T. HOW : 2 

HF VF X FF OF SM 

°L LO CO X DO LS 



PREPARED BY: 

DES 

REL 


PER POD 
PITCH* 1 YAW 


J TAGGART^ 
C M AKERS 


'REDUNDANCY screen: 


APPROVED, 
DES 
REL lij 





ITEM: THRUSTER* ASSY, VERNIER 

• 25 POUND THRUST LEVEL. EN 357/353/257/258. 

FUNCTION: 


A-PASS 8-PASS C— F AIL 



APPROVED BYL/NASA) 
3SM . 


DELETE 

See Section 13.0 


- 0M6 PITCH (2 AXIS-UP FIRING.) AND ONE YAV. { PLUS /MINUS Y AXIS) VERNIER 
THRUSTER ARE PROVIDED IN EACH ARCS MODULE TO PRO'/ TOE PFSCI3E LOW LEVEL 
PULSING AND ATTITUDE HOLD RED’D RDF PAYLOAD POINTING. ThEY ARE ' 
CONCEPTUALLY SIMILAR TO THE oe I MARY THRUSTER SU" L I y I T PLUG'S 
IMPINGEMENT AND PROP RESIDUE CGNTAM TO THE PAYLOAD. 

FAILURE MODE: FAILS TO STOP (F) 


FAILS OPEN* FAILS TO CLOSE (THRUSTER CONTINUES FI°tUS). 

.CAUS E ( S ) : 

CONTAMINATION, STRUCTURAL FAILURE,. DUAL SHCR T IN DRIVER CIRCUIT DUAL 
MOM FIRE COMMAND. VIS, SHOCK SEAL SEAT DA M , PRC 3 RESIDUE, FLUSH SALTS, 
COFROS, WEAR. 

EFFECT ( S ) 5. ON UISUBSYSTEM { S ) INTERFACES (OMISSION I 01 CREWVEH ICLE: 

(A) LOSS OF FUNCTION t VERNIER THRUSTERS) - CURRENTLY LOSS CF SINGLE 
VERNIER THRUSTER CAUSES LOSS (SHUTDOWN) OF VE°MISR CONTROL. (3) 
DEGRADATION OF INTERFACE SUB-SYSTEM - PROP LOSS DUE TO EXCESS oORM-TIMc 
UNTIL MANIFOLD CAN 5E ISC-L ATEQ-PGSS DAMAGE TO PAYLOAD OR PAYLOAD BAY 
ARMS- (C) MISSION MODIFICATION OR ABORT DECISION. (0) NO EFFECT. 
DISPOSITION £ RATIONALE (A ) DESIGN (8)TEST (C ) INSPECTION ( D ) e 4ILUP 5 HISTORY: 
(A) ISOLATION CAPABILITY IS AN AUTOMATIC FUNCTION *H I CH WILL ‘’INI-*IZS 
FAILURE EFFECT. POSS REDUND MODES OF OPERATION. (PRIMARY THRUSTERS, 

FREE DRIFT MODE £ PAYLCAD ATTITUDE CONTROL MAY PROVIDE ADDITIONAL 
CONTROL POTENTIAL). 100 MICRON FILTRATION PROVIDED. INADVERTENT FIRE 
SIGNAL IS IMPROBABLE DUS TO GPC/MDM DESIGN. I S3 THRUSTER DUAL FOR 
500,000 CYCLES, 125,000 SEC BURN TIME, INLET VALVE TESTED FOR 500,000 
WET CYCLES '£ 5000 DRY. (C) A VISUAL INS=> AND IDENTIFICATION IS 
PERFORMED AND THE UNIT TAGGED. CONTAMINATION CCNTRQL PROCESS, CGRPOS. 
PROTECTION PROVISIONS, NOE EXAM OF WELDS, PAw MAT 1 L (LOT) CERTIFICATION, 
PARTS PROTECTION, COATING AND PLATING PROCESSES ARE VERIFIED SY 
INSPECTION. MANUF, INSTALLATION, AND ASSY OPERATIONS ARE VERIFIED BY 
SHOP TRAVELER MANDATORY INSP POINTS. THE ABOVE ITEMS AMD THE FOLLOWING 
ITEMS WERE VERIFIED SY AUDIT CONDUCTED 9-2-76. CONTAMINATION CONTROL • 
PLAN, PROPERLY MONITORED HANDLING AND STORAGE ENVIRONMENT, SPECIAL 
MEASUREMENT STAN3SRQS AND EQUIP AND MAT’L AND ECU TP CONFORMANCE TO 
CONTRACT REQMTS. TURNAROUND - SYSTEM FLUIDS APE ANALYSED F0° EVIDENCE 
QF CONTAMINATION. PROPER INLET VALVE FUNCTION AND ELECT P I CAL LOGIC 

POWER IS VERIFIED.' (D ) NG^oTrECT FA II LIRE TTl STORY AVAILABLE. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST SD72-SH-0103-2 
SUBSYSTEM AFT - RCS FMEA HUMBER 03-2A-23T31 G-3 

-.ITEM Vernier Thruster i FAILURE MODE Barn Thru 


!' 1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
!• ’ • ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE- FMEA EVALUATION OF 
IN-FLIGhT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY- COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR' THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MOQE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH 'SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? 'NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. . WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) . 


CHANGE/RETENTION RATIONALE SUMMARY 

I.Q NO H/S ISSUES 3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2:.QD HARDWARE ACCEPTS RISK 4-0 DETECTION DURING CHECKOUT’ 6. □ RECOMMENDED CHANGES BELOW 


YES 

m 

NO 

□ 

*YES 

s 

NO 

P 

YES 

□ 

*NG 

0 

YES 

ea- 

NO 

□ 

*YES 

rn 

NO 

□ 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

EJ 

*o 0 *10 

zP 

N/A- □ YESCxjili 

oQ 


YES- {XJ*N0 □ 
YES 0*NO Q 


□ FHEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS: 

1. '^Failed off" thruster C&W. 

3. Down modes to free drift. 

6. No redundancy in the verniers. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


GRBITER IC 2 


SUBSYSTEM : A FT - REACTION CONTROL 
ASSEMBLY tVERNlER THRUSTER 
P/N PI :mCa67-0C29 
P/N VENDOR: 

QUANTITY JL 

: 2 PER POD 
: 1 PITCH, I YAW 


FMEA NO 03-2A -231310-3 REV:ll/CE/7t 
A60RT: CRT f. FOi\C= 1 

CR IT • NWD : 1 

MISSIONS: HP VF X FF OF SM 

PHAS c ( S 5 : PL LO X 00 X DO X LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 2 

REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 


FAILURE DETECTABLE IN FLIGHT?. YES TIME TO EFFECT: 

CHAMBER PRESSURE ON EACH ENGINE, VA2PS252 1 THRU SECONDS 

V4 2 P—2534 AND V42P-3521 THRU V42P-3534 REFERENCE DOCUMENTS: 

MC 621— CO 5V 


.GROUND TURNAROUND? YES MJ070-CCG1-CIB 

•VISUAL INSPECITON SD72-SH-C 103-2 

VS70— 421001 


PREPARED BY: 

des j. Taggart 

REL CM AKERS 


APPROVED BY: 

DES 

' REL 


ITEM: THRUSTER, ASSY, VERNIER 

25 POUND THRUST LEVEL. EN 357/35S/257/25S . 


FUNCTION: 

ONE PITCH (2 AXIS-UP FIRING) AND C'Jt YAW [PLUS/MINUS Y AXIS) VERNIER 
THRUSTER ARE PRGV10ED IN EACH ARCS MODULE TO PROVIDE PRECISE LOW LEVEL 
PULSING AND ATTITUDE HOLD REQ'D FOR PAYLOAD POINTING. THEY ARE 
CONCEPTUALLY SIMILAR TO THE PRIMARY THRUSTER 3UT LIMIT PLUME 
IMPINGEMENT AND PROP RESIDUE CCNTAM TO THE PAYLOAD. 

FAILURE MGCE: STRUCTURAL FAILURE (S) 

BURN Thru or ruptOre in chamber. 

CAUSE (S ) : 

THERMAL CYCLING /STRESS FATIGUE, VIE, COM? INSTAR, SHOCK. BLOCKED IN J 
ORIFICES', HIGH I EMP/ LOCAL I ZED HOT SPGTS / 1NA0EQ COOLING NOZZlE 

restriction. 

c FF ECT( S ) : On ( A ) SU3S YS1 EM (B J INTERFACE S (OMISSION ID } CREW/VEhICLE : 

(A) LOSS CF FUNCTION-CURR ENTLY LOSS OF SINGLE VERNIER ThRUSTEK CAUSES 
LOSS (SHUTDOWN) OF VERNIER CONTROL. (3) DEGRADATION OF INTERFACE 
FuNCT ION— INCH G NEC £ USE OF ALT THRUSTERS (C) MISSION 
MuOIFICAT I0M/A5URT DECISION IF FAILURE CAUSES DAMGE PROPAGATION. (D) 
POSSIBLE LOSS OF CR Ew/v EH 1C LE-5 URN-ThftU MAY .CAUSE HIGH TEMP DaMAGc TO 
SUP R STRUCT C ADJ THRUSTERS RESULTING IN POSS ENTRY HAZ IF TPS IS 


DAMAGED . 

CCRFECTING ACTION: 

ISOLATE PROPELLANTS FROM THRUST FR (AT MAN I POLO LEVcL) AND ASSESS FOR 
LEAKAGE AND DAMAGE TO SURROUNDING STRUCTURE. 


f> 


SMAP.KS/HAZARDS : 


THERE IS NO aUTO thruster 
P<_-T IMP IN’C'iT GF HLT GaSES 

may cause migh temp cam tu 


1SDL AFTER BURN INITIATION (DURING FlKi.\b). 


CM MODULE STRUCT C aDJ ThRUS 
SUR* STRUCT L aOJ TrtRUSTEKS 


EkS. dUxN-THKU 

resulting in fuss 


l-MRY HAZ IF. TPS IS DAMAGED. 



SHUTTLE CRITICAL ITEMS LIST 


ORE ITER 102 


SUBSYSTEM :AFT - REACTION CONTROL 
ASSEMBLY : VERNIER THRUSTER 
,P/N RI s MC AcT— 0029 

,P/N VENDOR: •' ' 

.QUANTITY :A 


FMEA NC 03-2A -231310-3 PEV: 11/08/73 
ABORT: CP IT. FUNC: 1 

CRIT. HCa: 1 

MISSIONS: HF Vr X FF CF S-M 

PHASE ( S ) : PL LQ X CO X DC X" LS 


tZ PER POD 
ii PITCH-, 1 YAW 


PREPARED -BY:* 
,OES 
»REL 


J TAGGART 
C M AKERS 




ITEM: THRUSTER, ASSY, VERNIER 
. 25 POUND THRUST LEVEL. EM 357/335/257/258. 
FUNCTION 


A— N/ A 


B-N/A C-N/A 



APPROVED BY. MASAI: 
ssm 

«“» 1 , 

Proved with chang es 

See Section 13.0 


ONE PITCH (2 AXI.S-UP FIRING) AND ONE YA* (*LU$/MINUS Y AXIS) VERNIER 
THRUSTER ARE PROVIDED IN EACH ARCS MODULE T 0 PROVIDE P c ECISc LG* LEVEL 
PULSING AMO ATTITUDE HOLC RSC’O FOR FAYLCAC POINTING. THEY ARE 
CONCEPTUALLY SIMILAR TO THE PRIMARY THRUSTER PUT LIMIT °LUME 
IMPINGEMENT AND PROP RESIDUE COMTAM TO T HS PAYLOAD. 


FAILURE MOOS: STRUCTURAL FAILURE . (S) 

BURN THRU OR RUPTURE IN CHAMBER* 

CAUScCS): 

THERMAL CYCLING/ STRESS FATIGUE, VIB,. CCMR INS7A8, SHOCK. a LCCKED I'U 
nRIFICES, HIGH TEMP / LOCAL I Z ED HCT. SPOTS/ INADEO CCGLING NCZ2LE 
RESTRICTION. 

EFFECT(S): ON ( A ) SUBSYSTEM ( 8 ) I NTERF ACES {OMISSION (P) fREV/VEHICLES 
( A ) LOSS OF FUNCTION— CURRENTLY LOSS OF SINGLE V ERNIE 5 * THRUSTER CAUSES 
LOSS (SHUTDOWN) OF VERNIER CONTROL. (E) DEGRADATION OF INTERFACE ' 
FUNCT ION- 1 NCR GN£C £ USE OF ALT THRUSTERS (C) MISSION 
HCOIF IC ATICN/ ABORT DECISION IF FAILURE CAUSES CAM3E PROPAGATION. (D5 
POSSIBLE LOSS OF CR EW/VEH IC LE— 3URN— THRU MAY CAUSE HIGH TEMP DAMAGE TC 
SURR STRUCT £ ADJ THRUSTERS RESULTING IN POSS ENTRY HAZ IF TPS IS 


DAMAGED. 

DISPOSITION £ RATIONALE (A)OESIGN (B)TEST (C ) INSPECTION (D) FAILURE HISTORY: 

- (A) STRUCTURAL MARGINS (2.0 TO A.O) MINIMIZE FAILURE EFFECT ( S ) • PGSS 

- .RED'JND MODES IN X AXIS PRIMARY THRUSTER, PAYLOAD ATTITUDE CONTROL £ FREE 
DRIFT MODES. 100 MICRON FILTRATION £ HEATERS PROVIDED TO LIMIT CON TAM £ 
PREVENT PROP FREEZING. (8) THRUSTER QUAL FOR 500,000 CYCLES, 125,-000 
SEC BURN TIMS, INLET VALVE TETED FOR 500,000 WET CYCLES £ 5000 DRY. (C) 

A VISUAL INS? ANO IDENTIFICATION IS PERFORMED AND THE UNIT TAGGED. 
CONTAMINATION CONTROL PRGCESS, CuRRGS. PROTECTION PROVISIONS, NOE EXAM 
OF WELDS, RAW MAT * L (LOT) CERTIFICATION, PARTS PROTECTION, COATING AND 
PLATING PROCESSES ARE VERIFIED BY INSPECTION. MANU^, INSTALLATION, AND' 
ASSY OPERATIONS ARE VERIFIED BY SHOP TRAVELER, MANDATORY INSP POINTS. • 
THE ABOVE ITEMS ANO THE FOLLOWING ITEMS WERE VERIFIED BY AUDIT CONDUCTED 

'9-2-76. CONTAMINATION CONTROL’ PLAN, PROPERLY MONITOR ED HANDLING ANO 
STORAGE ENVIRONMENT, SPECIAL MEASUREMENT STANDARDS AND EQUIP ANO HAT’ L 
AND EQUIP -CONFORMANCE TO CONTRACT REQMTS. TURNAROUND - VISUAL INSP 
JJSING ^OPTICAL IN STRUMEN TATION. SYSTEM FLUIDS ARE ANALYSED FOR EVIDENCE 

Q"F CONTAMINATION. - PROPER I NL5T " VAL VE~FUNCf fON _ ’ AND - ' ELECTRI CAL' LCGlC 
POWER IS VERIFIED. (D) NO DIRECT FAILURE HISTORY AVAILABLE. 
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MEETING MINUTES 


Review of JSC 14651, Hardware/ Software Interaction Analysis Volume VIII, 
AFT Reaction Control System Part 2 of 2. 


1. Telecon held between Boeing-Houston/Rockwell , Downey 11/5/79 12:30 PM 
to 2:00 PM. 


2. Attendees 


Organization 


Phone 


Lonnie Jenkins 
Dave Latham 
Don Cagle 
Herb Saxton 
Larry Gladu 


NASA/JSC 

Bo e i ng/ Re 1 i a b i 1 i ty 
Boeing Reliability 
Rockwell Propul sion/RCS 
Rockwell Systems Engineering 


X 3851' 

527-0323 (FTS) 
527-0323 (FTS) 
X 4503 
X 1189 


3. The following changes were discussed and will be incorporated in the final 
release of AFT Reaction Control System Hardware/Software Interaction Analysis 
and will be reflected in the next update of AFT RCS FMEA. 

Q3-2A-201 01 0-1 : Change SM to RM GAX, change 400 psi to 500. Add gross leak 
detection. Add crossfeed. 


Q3-2A-201013-1 : 
03-2A020I 020-1 : 

03-2A-201 030-2 : 
03-2A-201 035-1 : 
03-2A-201 060-4 : 

03-2A-201 070-1: 


No. 1 same as 201010-1. Add crossfeed. Add gross leak detection. 

Change question 1 to ullage transducer will give C&W alert 
< 200 psi. Change no to yes. 

Question 1 same as 201020-1 

Question 1 same as 201020-1. Add gross leak detection. 

Change question 1 no to yes and "No Software^Detection" to 
"Hardware Accepts Risk". Add gross leak detection. 

Change question 1 and 2 to gross leak detection. Add POD 
Redundancy to question 6. 


03-2A-201 080-1 : Change question 1 to gross leak detection. Change question 

6 from 2 to 0 and add "Need minimum of 2 yaw thrusters. 
Crossfeed is available. Pods are redundant. 


03-2A-201 090-1 : 

03-2A-2Q1 095-2 : 
03-2A-2021 08-1 : 
03-2A-2021 09-1 : 


Change question 1 to gross leak detection. Add question 6 - 
Pod redundancy. 

Change question 6 from 1 to 2 and delete comments. 

Change' question 1 to gross leak detection. Delete question 7. 
Delete questions 1, 3a and 6. 


129 



2 


Q3-2A-2021 1 0-1 : 
Q3-2A-2021 1 1 -2 : 
03-2A- 2021 20-3: 


03-2A-2021 50-1 : 

03-2A-21 1 1 TO— 1 : 
03-2A-2in 1 0-2: 


03-2A-211 120-1 : 

03-2A-221 308-1 : 

03-2A-221 31 0-4 : 

03-2A-22131 1 -1 : 
03-2A-221 31 2-1 : 
03-2A-221 31 3-1 : 
03-2A-231 31 0-1 : 


03-2A-23131 0-2 : 
03-2A-231310-3: 


Change question 1 to - First indication "failed off" thruster 
C&W for 1/2 leg, redundant paths on 3,4,5 leg. 

Question 1 change no to yes. Add "failed off" thruster gives 
first indication. 

Change question 1 from yes to no and delete comments. Change 
question 3 from no to yes and add "RCS RM automatically detects 
and prevents thrusting". 

Change question 1 to gross leak detection. Change question 6 
from 0 to 1 and add "There is one success path remaining after 
first failure. 

Change question 1 to gross leak detection. Change question 6' 
to POD Redundancy 

Delete la/3a add question 1 "failed off" thruster may illuminate 
if < 40 psi is sensed 3 times, 80 milliseconds apart. Change 
no to yes. Question 2 change yes to no. Change question 3a 
from yes to no. Change question 6 from 0 to 1 . Add crossfeed. 

Change question 1 to-gross leak detection. Change question 6 
from 0 to 1 . Add crossfeed. 

Change question 1 to gross leak detection. Delete comments 
question 2, Delete comments question 3 and change yes to no. 

Delete la/3a, add question 1 "failed off" thruster C&W. Change 
no to yes. Question 3 change no to yes. 

Same as 221310-4. 

Same as 221310-4. 

Question la change yes to no. Question 3a change yes to no. 

Change no to yes, question 1 change no to yes, question 3 and 
add "down modes to free drift". Change yes to no, question 
3a. Question 6 change 2 to 0 and add "No redundancy in the 
verniers! 1 . 

Question 1 change no to yes, add "failed on"' thruster C&W. 
Question 3a change yes. to no. Question- 6 change 2 to 0 and 
add "down modes to free drift." 

Question 1 change no to yes. Change comments to "failed off" 
thruster C&W. Question 2, delete comments. Question 3, change 
no to yes and add "down modes to free drift". Question 6 change 
2 to 0 and add "No redundancy in the verniers." 
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Approved by: 
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